‘Not highly sophisticated’: Coding error behind Optus data breach for 9.5 million Australians, ACMA alleges
Hackers were able to obtain personal details for millions of current and former Optus customers in a “trial and error” attack exploiting a coding error, Australia’s telecommunication watchdog alleges.
Australia’s telecommunications watchdog has alleged Optus could have fixed a simple coding error four years before hackers were able to steal personal details of millions of customers.
In a claim published by the Federal Court on Wednesday, the Australian Telecommunications and Media Authority (ACMA) outlined how it alleged the September 2022 cyber attack took place and the failures of Optus to notice or fix the vulnerability.
About 9.5 million current and former customers were caught up in the breach, with personal information including names, dates of birth, phone numbers and email addresses exposed over three days.
The personal details of about 10,200 people were subsequently published on the dark web.
The ACMA, which launched legal action against Optus in May this year, alleges a coding error in September 2018 left a dormant web API vulnerable when it became internet acceptable in June 2020.
It’s alleged Optus identified it’s main website was vulnerable and fixed the error in August the following year, but did not notice the same issue affected the second system.
“The target domain was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it,” the filing reads.
“The cyber attack was not highly sophisticated or one that required advanced skills … it was carried out through a simple process of trial and error.”
The Authority alleges Optus had the opportunity to identify the coding error at several stages in the preceding four years before the breach.
The ACMA is seeking penalties, alleging Optus breached the Telecommunications Act at least 3.6 million times — the estimated number of active Optus subscribers at the time.
If proven, each breach carries a penalty of up to $250,000, resulting in a theoretical maximum of $900 million.
Optus has previously declared its intent to defend the proceedings, saying it had previously apologised to customers and reimbursed the cost of new identity documents.
In a statement, interim chief executive Michael Venter said the telco “deeply regrets the cyber attack occurred”.
“Our customers expected their information would remain safe. We accept that this did not happen,” he said.
“This vulnerability was exploited by a motivated and determined criminal .... The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.”
Mr Venter said the company was continuing to invest in its cyber defences to meet the “heightened global cyber risk environment”, and was working tirelessly to regain customer trust.
“Optus will continue to cooperate with the ACMA on this matter, although it intends to defend this action and where necessary, correct the record,” he said.
“It will ultimately be a matter for the Federal Court to determine whether there has been any breach or the appropriateness of any sanctions against Optus.”
The case will next return before Justice Jonathan Beach in September for a case management hearing.