Optus data breach response

At Lexer, privacy and security are our core business. Following on from the recent data breach from Optus, we have prepared this statement for our clients and partners to confirm our ongoing commitment to security and our practice to ensure that our information security management systems (ISMS) and, in particular, our APIs, are configured according to industry best practice.

Our general security practices include: 

  • Information security management system: Lexer has and will continue to create and maintain an information security management system that complies with the requirements of ISO27001:2013. 
  • Risk prevention and reduction: Lexer has and will continue to evaluate information-based risks, establish information security objectives, and execute planned measures to prevent and reduce the occurrence of risks. 
  • Technical measures: Lexer has and will continue to implement technical measures with the aim of protecting information. 
  • Organisational measures: Lexer has and will continue to promote information security measures in all areas of our business activities. 
  • Compliance with laws: Lexer has and will continue to comply with all laws, restrictions, conventions, and internal standards pertaining to information security. 
  • Education: Lexer has and will continue to spare no effort in the area of education, training, and public relations exercises regarding information security. We will ensure that all employees are aware of and fully understand the Basic Information Security Policy. 
  • Audits: Lexer has and will continue to conduct regular information security audits (including SOC 2), with the aim of maintaining and increasing the level of information security. 

The protection of Lexer's sensitive information, in particular that which belongs to Lexer's clients and partners, remains a global priority. 

Our specific practices with respect to APIs include:

  • Public-facing APIs all use best practice authentication methods
  • All of our APIs, whether internal or external, require authentication in order to access (to protect against inadvertent external access)
  • Logging and monitoring software is used to collect data to monitor for potential security threats and vulnerabilities, and to detect unusual system activity or service requests
  • Internally, we use firewall rules to prevent public access to internal APIs
  • Session expiry limits are in place to ensure inactive sessions are closed
  • We utilise IP whitelisting on some of our APIs which may access personal information to limit the IP addresses which can access it, and impose rate limits to stop API abuse
  • Our Profile Read API is provided completely on an 'opt-in' basis
  • All data held and processed by Lexer is encrypted in transit and at rest
  • We use secure storage and rotation of API keys using AWS Secrets Manager