Optus domain unsecured for four years led to data breach – ACMA

Regulator seeks civil damages over cyber-attack that breached 9.5 million customer records.

Robert Clark, Contributing Editor, Special to Light Reading

June 21, 2024

2 Min Read
Optus storefront in a mall
(Source: Takatoshi Kurikawa / Alamy Stock Photo)

Optus's customer data breach in 2022 was the result of a software vulnerability that had gone unnoticed for four years, Australian regulator ACMA has said in a court filing.

The agency has filed a civil suit against the telco over the hack, which it alleges was caused by a "coding error" that left the customer database open to attack. 

In an Australian Federal Court filing Wednesday, ACMA said Optus had failed to protect the confidentiality of "personally identifiable information of around 3.5 million customers."

"The records of over 9.5 million former and current customers of Singtel Optus (and approximately 36% of the Australian population) were accessed during the cyberattack," it said.

The full name, email address, date of birth and phone number of all customers had been leaked, as well as the physical address of more than 3.2 million and the passport or driver's license details of 2.5 million people, ACMA said. Additionally, identifiable personal details of more than 10,000 Optus customers had been published on the dark web.

The authority said it was seeking civil penalties against Optus for alleged breaches of the Telecommunications (Interception & Access) Act that affected at least 3.6 million active customers.

'Coding error'

ACMA said the telco's failure was the result of "a coding error which it did not detect during (and for four years prior to)" the breach.

The customer data was stored on a domain that had been dormant since 2017 but had not been decommissioned until after the cyberattack.

According to ACMA, the breached domain was supposed to be secured by access controls, but a coding error in September 2018 caused the controls to be ineffective. Optus did not discover the error until after breach in September 2022.

In a separate development Friday, Optus handed over a report by Deloitte into the attack to a law firm pursuing a class action against the company. The study had been carried out in 2022 in the wake of the cyber-attack but has been kept confidential ever since.

Optus argued in court the report was protected under legal privilege and that it had been commissioned to provide legal advice. The court rejected its claims, pointing out that a company press release had described the report as helping to "inform the response to the incident."

The class action, filed in April 2023 on behalf of 10,000 customers, alleges that Optus breached Australian privacy law, consumer protection law, its contract with customers and duty of care to customers.

Optus has suffered severe reputational damage from the dual impact of the data breach and a national network outage last November, forcing the departure of former CEO Kelly Bayer Rosmarin.

Parent Singtel recorded a 2 billion Singapore dollar (US$1.48 billion) write-off of its Optus business in the last financial year after assessing the recovery value of the company was below its carrying value.

Read more about:


About the Author(s)

Robert Clark

Contributing Editor, Special to Light Reading

Robert Clark is an independent technology editor and researcher based in Hong Kong. In addition to contributing to Light Reading, he also has his own blog,  Electric Speech (http://www.electricspeech.com). 

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like