API Security , Geo Focus: Australia , Geo-Specific

Australia Optus 2022 Data Breach 'Not Highly Sophisticated'

Hackers Exploited Coding Error, Says Australian Communications and Media Authority
Australia Optus 2022 Data Breach 'Not Highly Sophisticated'
The hack behind the 2022 breach of Australian telecom Optus wasn't sophisticated or advanced, said the Australian Communications and Media Authority. (Image: Shutterstock)

Hackers behind the leak of 10 million records from Australia's second-largest telecommunications carrier Optus exploited a vulnerability the company unwittingly inserted four years earlier into a web portal access control.

See Also: Anatomy of Credential Theft

An investigation by the Australian telecoms regulator said hackers in September 2022 found a "coding error" in the access control shielding an application programming interface connecting the Optus customer portal with a back-end database. The watchdog said the API URL - api.www.optus.com.au - hadn't been actively used since 2017.

The data breach at the Singtel-owned company "was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge," said the Australian Communications and Media Authority in a court filing that became public Wednesday.

"It was carried out through a simple process of trial and error."

The regulator sued Optus in May, alleging the telecom company failed to protect sensitive customer data from unauthorized access (see: Australian Telecom Watchdog Sues Optus Over 2022 Data Breach). It's seeking penalties on behalf of leaked records belonging to 3.6 million Optus active subscribers.

The regulator said a developer in September 2018 made an access control coding error that left both the API URL and the main portal domain open to hacking. Optus fixed the vulnerability in August 2021 so hackers couldn't access the main portal but "did not detect or fix that same issue" for the API domain.

A hacker who later apparently went by the moniker "Optusdata" on a criminal breach forum exploited the coding error between Sept. 17, 2022, and Sept. 20, 2022 (see: Optus Attacker Halts AU$1.5 Million Extortion Attempt).

The data breach included including full names, telephone numbers, birthdates and email addresses of active subscribers. The physical addresses of most active subscribers were also included in the data leak, and identifiers such as driver's license number or birth certificate information also were leaked for a majority of active subscribers.

Interim Optus CEO Michael Venter said the incident significantly dented customers' trust and the company continues to provide credit monitoring services to affected customers and reimburse the costs of replacing identity documents.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.