Yes of course Optus suffered a “cyber attack”, just one which looks like it was trivial to accomplish

It’s still an attack even if the defences were useless. It’s still a crime even if it were easy to commit. Optus may have been a target ripe for the taking, and may well have been negligent, but the hackers are still the baddies here.

We still don’t know what enabled the massive data breach at Optus, nor who the data thieves were or how they got there. Here’s what we knew last week. Since then we’ve learned very little more.

The thing that shits me, though, is people bleating that “It wasn’t a hack!” or “It wasn’t an attack!” because, as the supposed hackers claim, they used an application programming interface (API) that was open to the world, with no access controls and no encryption.


Of course it was a hack.

What’s the first step of any intrusion onto a target network? Reconnaissance. You look for a way in. And bingo! Here’s a server called api dot whatever. How does it respond when I poke at it? Oh, it gives me data! What happens if I try with a different contact ID? Oh lovely, it gives me that person’s data too. Off we go! Hack accomplished.

My guess is that (some) people who style themselves “hackers” like to think of themselves as smart, and their hacks as clever and complicated. How dare someone do something easy and call it a hack!

I reckon it’s probably an ego thing. I’m 1337 H4x0r and you’re not.

It presumably stings them even more that the purported hacker — remember we still don’t know whether the person talking to journalists is the actual thief or someone coming along later — appears to have folded early.

So we’re calling for tougher, more competent cyber criminals now?

As an aside, we also don’t know whether the attackers would have still been able to execute an attack even if the defences were much, much stronger. Maybe they were good enough, maybe not. But we don’t know.

Same for the pushback against calling it an attack.

I think Josh Withers summed it up well when he tweeted, “I feel like calling it an attack reduces the responsibility on Optus to lock the doors”. I can see how people can think that.

My view, though, is that if Optus were under attack — which every corporation is every day of the year — and they knew they were under attack, why were their defences so weak?

Why were their internal processes so terrible?

Why did they have such an ad hoc and immature response system?

“General, Sir, two teenagers on bicycles carrying pointed sticks have just ridden across the border and taken over the capital! What shall we tell the President?”

“Don’t worry, Colonel, I’ll tell him it wasn’t really an attack.”

Of course it was an attack! There was an intention to do harm, and harm was done. It was a remarkably successful attack against a cyber castle made of… nothing but bullshit and hot air.

Optus is already looking really, really bad. I’m guessing the Deloitte review will make them look even worse. Good. May they suffer in their jocks.

But don’t forget that a person or persons unknown walked into Optus, walked out with their data, and at least two actors then tried to make money from it through extortion — one or more demanding the million-dollar ransom, another with a poorly thought through SMS scam.

Don’t forget that they’re the baddies here.

[Photo: “I hate Optus” stencil graffiti seen on a fence in Enmore, Sydney, on 28 March 2009.]