Optus domain unsecured for four years led to data breach – ACMA

Optus's customer data breach in 2022 was the result of a software vulnerability that had gone unnoticed for four years, Australian regulator ACMA has said in a court filing.

The agency has filed a civil suit against the telco over the hack, which it alleges was caused by a "coding error" that left the customer database open to attack. 

In an Australian Federal Court filing Wednesday, ACMA said Optus had failed to protect the confidentiality of "personally identifiable information of around 3.5 million customers."

"The records of over 9.5 million former and current customers of Singtel Optus (and approximately 36% of the Australian population) were accessed during the cyberattack," it said.

The full name, email address, date of birth and phone number of all customers had been leaked, as well as the physical address of more than 3.2 million and the passport or driver's license details of 2.5 million people, ACMA said. Additionally, identifiable personal details of more than 10,000 Optus customers had been published on the dark web.

The authority said it was seeking civil penalties against Optus for alleged breaches of the Telecommunications (Interception & Access) Act that affected at least 3.6 million active customers.

'Coding error'

ACMA said the telco's failure was the result of "a coding error which it did not detect during (and for four years prior to)" the breach.

The customer data was stored on a domain that had been dormant since 2017 but had not been decommissioned until after the cyberattack.

According to ACMA, the breached domain was supposed to be secured by access controls, but a coding error in September 2018 caused the controls to be ineffective. Optus did not discover the error until after breach in September 2022.

In a separate development Friday, Optus handed over a report by Deloitte into the attack to a law firm pursuing a class action against the company. The study had been carried out in 2022 in the wake of the cyber-attack but has been kept confidential ever since.

Optus argued in court the report was protected under legal privilege and that it had been commissioned to provide legal advice. The court rejected its claims, pointing out that a company press release had described the report as helping to "inform the response to the incident."

The class action, filed in April 2023 on behalf of 10,000 customers, alleges that Optus breached Australian privacy law, consumer protection law, its contract with customers and duty of care to customers.

Optus has suffered severe reputational damage from the dual impact of the data breach and a national network outage last November, forcing the departure of former CEO Kelly Bayer Rosmarin.

Parent Singtel recorded a 2 billion Singapore dollar (US$1.48 billion) write-off of its Optus business in the last financial year after assessing the recovery value of the company was below its carrying value.