There's no such thing as non-production/production systems imho, as long as it exists, it's a system requiring security checks and protections.
Anyway, a key point is not to have a network design that's like a Poland where people can just drive across it with little effort. That goes for developers and hackers. It should be organizationally hard for a developer to request to connect a test application to a production system. Change control should automatically put that as a ticket for review and the network team should also be cagey about doing it. It was a big oversight.
The mixing of personal data back into a insecure test system is also a bit iffy. If you think about classification for government secrets, sometimes a large volume of low level data will attract a high protection. Because it's loss represents significant harm.
Optus should have seen it's database of client secrets as a top secret asset and guarded it as such. The release of this information is having profound impacts on many governments, and government systems as well as the individuals (50% of Australia almost).
I think we are still too accepting of non technically literate CEO's. They don't have to know how to solve all the issues but they should know to be very very curious about their IT systems. And this is a telco!
Imagine you're a project manager at a telco, and you are given a project to make a network link from a capital city to a nearby town. You hire some contractors to dig up the dirt, lay down the fibre, put the dirt back in, and then you are done. The project is finished! The budget is spent, and then there is no more money, and nothing to spend it on anyway.
Fibre does not need security patches. Fibre does not need monthly updates. You can simply forget about it, because it doesn't have an end-of-support date. Copper will eventually corrode away and need replacing, but we're talking timescales on the order of 40, 60, 80 years or more, not 4-8 years like in the software world.
Those project managers get promoted, eventually to senior management. The whole budget starts revolving around this short-term, "done and dusted" type projects. Nobody at any senior layer of management develops an expectation of anything else. You deploy things, then you move on to the next project! MOVE. ON.
The same people manage IT and software, but this is a relatively new thing. Certainly a new scale to these organisations. I've been in telco "data centres" 20 years ago, and they were... cute. Just a big office room with maybe two dozen racks in them, the majority of which were optical switching gear.
Now? Telcos might have thousands of virtual machines running tens of thousands of distinct pieces of software. Software deployed in projects run by the same project managers that were used to laying fibre and walking away.
This kind of breach is the consequence of this corporate culture. It's not just the CEO, it's also the COO, the CFO, the CIO, and all the way down to all but the last tier of random befuddled contractors wondering why they're not allowed to touch anything that's not actively being built new.
Don't think for a second that any of the other major telcos are any different or better.
Strongly disagree. If it's an isolated copy of your production system with fake credentials, fake data, etc, there's no associated risk. We explicitly turn off various security checks in our nonprod environment because it makes it easier to poke around and debug issues. That would never fly in prod, for obvious reasons.
If that’s truly the case, and they’re fake data, I’d generally agree. That isn’t what’s happened with Optus and I dare say with many other orgs where nonprod is generally interchangeable with less secure
Also security is not one dimensional. A system's required level of confidentiality might be very different from its required level of availability. Being explicit about this might be better than trying to lump different requirements into a "production" label.
From a security point of view I agree - certainly my current employer makes no distinction and a vulnerability is a vulnerability no matter where it is.
