‘Not highly sophisticated’: Coding error behind Optus data breach for 9.5 million Australians, ACMA alleges
Australia’s telecommunications watchdog has alleged Optus could have fixed a simple coding error four years before hackers were able to steal personal details of millions of customers.
In a claim published by the Federal Court on Wednesday, the Australian Telecommunications and Media Authority (ACMA) outlined how it alleged the September 2022 cyber attack took place and the failures of Optus to notice or fix the vulnerability.
About 9.5 million current and former customers were caught up in the breach, with personal information including names, dates of birth, phone numbers and email addresses exposed over three days.
The personal details of about 10,200 people were subsequently published on the dark web.
Get in front of tomorrow's news for FREE
Journalism for the curious Australian across politics, business, culture and opinion.
READ NOW
![business, news, australia, crime, finance, technology, internet, security, tas news, ‘not highly sophisticated’: coding error behind optus data breach for 9.5 million australians, acma alleges](https://images.perthnow.com.au/publication/C-15087217/e5cdad621acf12a2cdbc82891fc1f211feeeb8f4.jpg?imwidth=668&impolicy=pn_v3)
The telecommunications and media authority alleges the hackers exploited the error in a simple process. NewsWire / Damian Shaw Credit: News Corp Australia
The ACMA, which launched legal action against Optus in May this year, alleges a coding error in September 2018 left a dormant web API vulnerable when it became internet acceptable in June 2020.
It’s alleged Optus identified it’s main website was vulnerable and fixed the error in August the following year, but did not notice the same issue affected the second system.
“The target domain was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it,” the filing reads.
“The cyber attack was not highly sophisticated or one that required advanced skills … it was carried out through a simple process of trial and error.”
![business, news, australia, crime, finance, technology, internet, security, tas news, ‘not highly sophisticated’: coding error behind optus data breach for 9.5 million australians, acma alleges](https://images.perthnow.com.au/publication/C-15087217/2bca076f9682ed2a8de774c73617bc6e41e0997b.jpg?imwidth=668&impolicy=pn_v3)
Current and former customer data was exposed until 3.45am on September 20, 2020. NCA NewsWire / Christian Gilles Credit: News Corp Australia
The Authority alleges Optus had the opportunity to identify the coding error at several stages in the preceding four years before the breach.
The ACMA is seeking penalties, alleging Optus breached the Telecommunications Act at least 3.6 million times — the estimated number of active Optus subscribers at the time.
If proven, each breach carries a penalty of up to $250,000, resulting in a theoretical maximum of $900 million.
Optus has previously declared its intent to defend the proceedings, saying it had previously apologised to customers and reimbursed the cost of new identity documents.
The case will next return before Justice Jonathan Beach in September for a case management hearing.