ACMA alleges blunder over 9.5 million Optus data breach
- Replies 11
The digital age has brought us countless conveniences, but with those conveniences come risks, as the recent Optus data breach painfully reminds us.
In a world where personal information is increasingly stored in the cloud, data security is paramount.
Unfortunately, for 9.5 million Australians, a simple coding error at one of the country's largest telecommunications companies, Optus, has led to a significant breach of privacy.
The Australian Communications and Media Authority (ACMA) shared details of the cyber attack that occurred in September 2022, which was not the result of an elaborate scheme by cybercriminals but rather a 'trial and error' attack that exploited a coding error left unaddressed for years.
This breach has exposed names, dates of birth, phone numbers, and email addresses, with the personal details of about 10,200 individuals subsequently surfacing on the dark web.
The ACMA's investigation into the breach has revealed a troubling timeline. A dormant web API became vulnerable in June 2020 due to a coding error made in September 2018.
While Optus corrected a similar issue on its main website in August of the following year, it failed to recognise and address the same problem in a secondary system.
This oversight allowed the vulnerability to remain exposed, and the dormant domain was left susceptible to attack for two years without being decommissioned.
The ACMA's legal action against Optus, initiated in May this year, is not just a slap on the wrist.
‘The target domain was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it,’ the filing read.
‘The cyber attack was not highly sophisticated or one that required advanced skills… it was carried out through a simple process of trial and error.’
The Authority is seeking penalties for what it alleges are breaches of the Telecommunications Act 1997, which could amount to a staggering theoretical maximum of $900 million, considering each breach carries a penalty of up to $250,000.
Optus has expressed its intent to defend the proceedings. Interim CEO Michael Venter has publicly stated that the company ‘deeply regrets the cyber attack occurred’.
‘Our customers expected their information would remain safe. We accept that this did not happen,’ he said.
‘This vulnerability was exploited by a motivated and determined criminal…The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.’
Venter also highlighted the company's ongoing investment in cyber defences to address the 'heightened global cyber risk environment' and its commitment to regaining customer trust.
‘Optus will continue to cooperate with the ACMA on this matter, although it intends to defend this action and, where necessary, correct the record,’ he said.
‘It will ultimately be a matter for the Federal Court to determine whether there has been any breach or the appropriateness of any sanctions against Optus.’
The case is set to return before Justice Jonathan Beach in September for a case management hearing.
Have you been affected by the Optus breach or a similar incident? How has it impacted your trust in digital services? Let us know in the comments below!
In a world where personal information is increasingly stored in the cloud, data security is paramount.
Unfortunately, for 9.5 million Australians, a simple coding error at one of the country's largest telecommunications companies, Optus, has led to a significant breach of privacy.
The Australian Communications and Media Authority (ACMA) shared details of the cyber attack that occurred in September 2022, which was not the result of an elaborate scheme by cybercriminals but rather a 'trial and error' attack that exploited a coding error left unaddressed for years.
This breach has exposed names, dates of birth, phone numbers, and email addresses, with the personal details of about 10,200 individuals subsequently surfacing on the dark web.
ACMA alleged that the Optus breach in 2022 was due to a coding error. Credit: Shutterstock
The ACMA's investigation into the breach has revealed a troubling timeline. A dormant web API became vulnerable in June 2020 due to a coding error made in September 2018.
While Optus corrected a similar issue on its main website in August of the following year, it failed to recognise and address the same problem in a secondary system.
This oversight allowed the vulnerability to remain exposed, and the dormant domain was left susceptible to attack for two years without being decommissioned.
The ACMA's legal action against Optus, initiated in May this year, is not just a slap on the wrist.
‘The target domain was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it,’ the filing read.
‘The cyber attack was not highly sophisticated or one that required advanced skills… it was carried out through a simple process of trial and error.’
The Authority is seeking penalties for what it alleges are breaches of the Telecommunications Act 1997, which could amount to a staggering theoretical maximum of $900 million, considering each breach carries a penalty of up to $250,000.
Optus has expressed its intent to defend the proceedings. Interim CEO Michael Venter has publicly stated that the company ‘deeply regrets the cyber attack occurred’.
‘Our customers expected their information would remain safe. We accept that this did not happen,’ he said.
‘This vulnerability was exploited by a motivated and determined criminal…The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.’
Venter also highlighted the company's ongoing investment in cyber defences to address the 'heightened global cyber risk environment' and its commitment to regaining customer trust.
‘Optus will continue to cooperate with the ACMA on this matter, although it intends to defend this action and, where necessary, correct the record,’ he said.
‘It will ultimately be a matter for the Federal Court to determine whether there has been any breach or the appropriateness of any sanctions against Optus.’
The case is set to return before Justice Jonathan Beach in September for a case management hearing.
.png){kind=icon}
