Optus hack ‘not highly sophisticated’
Australia’s telecommunications watchdog has alleged Optus could have fixed a simple coding error four years before hackers were able to steal personal details of millions of customers.
In a claim published by the Federal Court on Wednesday, the Australian Telecommunications and Media Authority (ACMA) outlined how it alleged the September 2022 cyber attack took place and the failures of Optus to notice or fix the vulnerability.
About 9.5 million current and former customers were caught up in the breach, with personal information including names, dates of birth, phone numbers and email addresses exposed over three days.
The personal details of about 10,200 people were subsequently published on the dark web.
Optus hack ‘not highly sophisticated’
The ACMA, which launched legal action against Optus in May this year, alleges a coding error in September 2018 left a dormant web API vulnerable when it became internet acceptable in June 2020.
It’s alleged Optus identified it’s main website was vulnerable and fixed the error in August the following year, but did not notice the same issue affected the second system.
“The target domain was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it,” the filing reads.
“The cyber attack was not highly sophisticated or one that required advanced skills … it was carried out through a simple process of trial and error.”
The Authority alleges Optus had the opportunity to identify the coding error at several stages in the preceding four years before the breach.
The ACMA is seeking penalties, alleging Optus breached the Telecommunications Act at least 3.6 million times — the estimated number of active Optus subscribers at the time.
If proven, each breach carries a penalty of up to $250,000, resulting in a theoretical maximum of $900 million.
Optus has previously declared its intent to defend the proceedings, saying it had previously apologised to customers and reimbursed the cost of new identity documents.
The case will next return before Justice Jonathan Beach in September for a case management hearing.