Optus' failure to address simple coding error blamed for 9.5m customer data cyber breach, ACMA court documents allege.

A coding error which Optus failed to detect and left an API accessing customer data publicly available for years is to blame for the cyber breach that led to the personal details of 9.5 million customers being exposed, ACMA is alleging.

According to the concise statement filed by the Australian Communications and Media Authority (ACMA) to the Federal Court of Australia on 22 May 2024 and made public this week, the cyber attack was the direct result of Optus' failure to detect a coding error for up to four years prior to the cyber breach that occurred in September 2022.

The concise statement alleges the former and current customer data of 9.5 million Australians was accessed by a cyber attacker who exploited this coding error in the attack occurring between 17-20 September. Among the personally identifiable data points captured were names, dates of birth, phone numbers, residential addresses, driver's licence details, passports, Medicare card numbers and birth certificate details. Some of this information was subsequently published by the attacker on the dark web.

According to the filing, during the relevant period, Optus kept customers' personally identifiable information on a sub-system, which interfaced with downstream applications that held customer information. This information was available via what's been described as 'target APIs', which enabled information to be retrieved once a customer was authenticated.

While the target domain was dormant for up to four years prior to the cyber attack, it remained publicly available and was not decommissioned until directly after the cyber breach occurred, ACMA alleges. This was despite Optus detecting its main domain was vulnerable to attack and fixing that specific issue in August 2021.

"The target domain was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it," the concise statement to the court reads. The telco also reportedly had numerous opportunities to identify the issue as early as 2018.

"The cyberattack was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge of Optus' Processes or systems. It was carried out through a simple process of trial and error."

The ACMA is now seeking civil penalties against Optus, a subsidiary of Singtel Optus, for its failure to protect the personally identifiable information of at least 3.6 million of its active customers. Its statement confirms 2.47m customers had identity information accessed in the breach including passport numbers, driver's licence and card numbers, Medicare number or birth certificate information. The details of 10,200 Singtel Optus customers were also published on the dark web.

The regulatory watchdog has already fined Optus $1.5m over the breach, but in its statement noted each of the 3.6m breaches could have a maximum penalty of $250,000 apiece under section 187A of the Telecommunications Act. In its submission, ACMA noted Optus has reimbursed 20,071 customers for replacement identity documents outside of waived costs by agencies, and is in the process of reimbursing agencies for costs incurred in replacing identity documents.

Optus is now required to respond with its defence against the claims by 23 August 2024 and is also required to produce a copy of the final report prepared by Deloitte on the cyberbreach by 21 June 2024. The case hearing is scheduled for 13 September 2024.

At the time of ACMA lodging its action against Optus in May, the telco told media it planned to defend itself against claims that it failed to protect the confidential details of its customers but did not comment further.

Both the Australian Federal Police and ACMA launched inquiries into the breach, and there has also been consumer class action efforts instigated by law firm, Slater + Gordon which has more than 100,000 registered participants.