The supermarket giant has an agency agreement with Optus which operates under the Coles Mobile brand. But Optus has control of all sales and service.

The Australian Communications and Media Authority launched an investigation into the telco and found that it breached anti-scam laws 44 times between September and October last year.

The regulator’s findings point to a critical security lapse which exposed consumers to financial losses and identity theft. As a result it fined the telco $826,320, which is the maximum penalty ACMA can impose for such a breach.

The investigation revealed that scammers successfully exploited a security weakness in a third-party identity verification system used by Optus. This vulnerability allowed malicious actors to circumvent key steps of the required identity verification process, subsequently gaining unauthorised control of at least four consumers’ mobile services.

This enabled the scammers to access victims’ bank accounts, resulting in reported losses totalling $39,000.

ACMA member Samantha Yorke said scammers were always looking for any weaknesses in systems, and on this occasion Optus left a “vulnerability which directly exposed people to harm”.

“While this was a one-off issue which was quickly remediated, it is inexcusable for any telco not to have robust customer ID verification systems in place, let alone Australia’s second largest provider,” she said.

Ms Yorke said that the financial penalty imposed – the maximum available to ACMA was in this specific matter – reflected the serious nature of the failures.

ACMA views the disruption of mobile number fraud as a current compliance priority, highlighting the broader industry-wide challenge of protecting consumers against sophisticated scams. The regulatory standard mandates that telcos must rigorously verify the identity of individuals seeking to transfer their mobile numbers to a new provider before the porting process can be completed.

Optus apologised to customers who were scammed. It blamed the breach on its porting - which transfers customers’ phone numbers to new plans - service provider Prvidir.

“A number of mobile numbers were unlawfully ported to one of our brands without customer authorisation. This was the result of a technical issue in the porting system, which is managed by our service provider, Prvidr,” an Optus spokeswoman said.

“Optus acted swiftly in collaboration with Prvidr and other telecommunications providers to correct services for affected customers. The technical issue was resolved within 24 hours of being identified. Prvidr has since enhanced its verification and porting controls, with testing providing assurance of system resilience.”

“Optus sincerely apologises to the 44 customers affected by this. We appreciate the distress this type of crime can cause and are committed to supporting those impacted.”

The spokeswoman said Optus accepted ACMA’s action and said it would strengthen customer protections. “Optus continues to work closely with government, the banking sector, and industry partners to make it increasingly difficult for criminals to misuse telecommunications services for identity theft,” the spokeswoman said.

This case brings the total penalties paid by businesses for breaches of this standard over the past 12 months to more than $1.9m.

The incident with Coles Mobile further intensifies the scrutiny on Optus’s operational and compliance mechanisms, as the telco reels from a triple-0 phone outage in September that has been linked to three deaths.

In June it was fined $100m after it sold mobile phone plans to “vulnerable” Australians it knew couldn’t afford them – including a deaf and mute homeless man – and created scores of fraudulent contracts with First Nations people.

It was one of the biggest penalties imposed on an Australian company, almost matching the $120m settlement Qantas struck last year over its “ghost flights” whereby it misled customers by selling tickets for flights it had already decided to cancel.

Optus chief executive Stephen Rue, who joined the telco in October last year, said at the time that the behaviour was inexcusable and unacceptable.

“I would like to sincerely apologise to all customers affected by the misconduct in some of our stores,” Mr Rue said.

More Coverage

Coles caught in Optus crisis as 13 customers blocked from triple-0

Jared Lynch

Optus finally reveals cause of latest triple-0 outage

Jared Lynch, Greg Brown, Liam Mendes

Originally published as Optus hit with ‘maximum fine’ after security lapse exposed customers to scams