One of Australia’s largest telecommunications companies Optus could have averted the massive 2022 data breach that leaked nearly 9.5 million individuals’ sensitive personal information, the Australian telecom watchdog said.
The Australian Communications and Media Authority in a filing with the Federal Court said, “[Optus] cyberattack was not highly sophisticated or one that required advanced skills.” Its investigation attributed the 2022 Optus data breach to an access control coding error that left an API open to abuse.
The investigation details of ACMA comes weeks after the telecom watchdog took legal action against Optus, in the same court, for allegedly failing to protect customer data adequately.
Coding Error and API Mismanagement Led to Optus Data Breach
The ACMA claimed that Optus had access controls in place for the API but a coding error inadvertently weakened these controls allowing them to be bypassed. This error left the API vulnerable, especially since it was internet-facing and dormant for an extended period.
The vulnerability was reportedly introduced through a coding error in September 2018 and was first noticed in August 2021. But this issue was only fixed for the main site – www.optus.com.au – and not the subdomain (likely api.www.optus.com.au) where the vulnerable API endpoint was hosted.
“The coding error was not identified by Optus until after the cyberattack had occurred in mid-September 2022. Optus had the opportunity to identify the coding error at several stages in the preceding four years including: when the coding change was released into a production environment in September 2018; when the Target Domain (and the Main Domain) became internet-facing through the production environment in June 2020; and when the coding error was detected for the main domain in August 2021.” – ACMA
But the company failed to do so causing alleged harm to more than one-third (approximately 36%) of the Australian population. The telco watchdog alleged that Optus’ failure to protect customer data constitutes a breach of its obligations under Australian law.
Optus’ Response to ACMA’s Allegations
Optus, in a statement to The Cyber Express, confirmed the vulnerability and provided details on the cyberattack. “The cyberattack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defenses that arose from a historical coding error,” said Interim CEO of Optus Michael Venter.
“This vulnerability was exploited by a motivated and determined criminal as they probed our defenses, and then exploited and evaded these defenses by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data. The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.” – Michael Venter, Interim CEO of Optus
Venter said following the 2022 Optus data breach, the company has reviewed and updated its systems and processes. It has invested in heightened cyber defenses to address the increased global cyber risk environment.
The company expressed regret over the incident and emphasized its commitment to protecting customer data. “Our customers expected their information would remain safe. We accept that this did not happen, and the cyber attacker gained unauthorised access to some of their information,” Venter said.
Optus suffered a major customer data breach in 2022 that gave malicious actors access to about 9.5 million former and current customers’ sensitive information including names, birth dates, phone numbers, email addresses and, for a subset of customers (2,470,036), addresses and ID document numbers such as driver’s license or passport numbers.
Of these, the hacker also released the personally identifiable information (PII) of 10,200 Optus customers on the dark web.
Deloitte Report Handed to the Federal Court
Post the hack, although the privacy commissioner and ACMC held detailed investigations, Optus itself commissioned an independent external review of the cyberattack. Despite attempts to keep the document confidential, the Australian federal court ordered Optus last month to file this report with the court, which is expected to provide crucial insights into the breach.
“Optus is working with the ACMA and separately Slater and Gordon with the intention of providing them with a confidential version of the Deloitte Report that appropriately protects our customer data and systems from cybercriminals,” Venter told The Cyber Express.
The forensic report prepared by Deloitte detailing the technical aspects of the breach was finally handed over to the federal court on Friday. The details revealed in this report will also be used in a separate class action against Optus.
“Much to do to Fully Regain our Customers’ Trust”
Optus has acknowledged the breach’s impact on customer trust, with Venter expressing deep regret for the incident. Optus has reimbursed 20,071 current and former customers for the cost of replacing identity documents. The company is also covering costs incurred by government agencies related to the breach.
Optus has pledged to cooperate with the ACMA’s investigation and defend its actions in court, aiming to correct any misconceptions and improve its cybersecurity measures.
“Optus recognizes that we still have much to do to fully regain our customers’ trust and we will continue to work tirelessly towards this goal,” – Michael Venter
The Optus data breach highlights the critical importance of robust access controls and diligent monitoring of cybersecurity vulnerabilities. The incident serves as a cautionary tale for organizations worldwide to ensure comprehensive protection of sensitive data and maintain customer trust through proactive and transparent security practices.
As the case progresses, it will provide further insights into the complexities of cybersecurity in the telecommunications sector and the measures necessary to prevent similar breaches in the future.
