Posted: 2024-06-20 03:44:36

Optus could have prevented a data hack that leaked the details of about nine and a half million Australians four years prior, the Australian telecommunications watchdog alleges.

The Australian Communications and Media Authority made the claims in a filing to the Federal Court, where it has lodged an action against Optus for failing to protect its customers' personal information during a data breach in 2022.

The cyber attack meant hackers likely made away with the passport and drivers licence numbers of 2.8 million people.

Optus said it intends to defend the allegations.

The Australian Communications and Media Authority brought the action.(ABC News: Clarissa Thorpe)

In its filing, ACMA outlined how it alleged the cyber attack took place.

"Optus' failure was due to a coding error which it did not detect during (and for four years prior to) the [September 17 to 20, 2022]," the authority claimed.

"As a result the personally identifiable information of more than nine and a half million former and current customers of Singtel Optus Pty Limited and its subsidiaries were accessed by a cyber attacker."

ACMA said it would seek civil penalties against Optus for its alleged failure.

Vulnerable domain left 'dormant'

The Federal Court filing detailed a number of "vulnerabilities" ACMA believed the Optus system to have.

It said two of the company's domains had the same coding error for one of its access controls, which left it open to cyber attack.

But ACMA said at one point Optus noticed the error and fixed it — but only on one of its domains.

The other was still left vulnerable.

"Optus has the opportunity to identify the coding error at several stages in the preceding four years," the filing said.

"The [domain] was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it."

Kelly Bayer Rosmarin Senate hearing

Optus CEO Kelly Bayer Rosmarin has since left the role.(ABC News: Simon Beardsell)

Despite then-Optus chief executive Kelly Bayer Rosmarin referring to the attack as 'sophisticated' at the time, ACMA said they disputed the claim.

"The cyber attack was not highly sophisticated or one that required advanced skills or propriety or internal knowledge of Optus' processes or systems," the filing said.

"It was carried out through a simple process of trial and error."

The authority also detailed the harm that had since come from the attack, and said the number of people targeted in the attack was just over a third of Australia's population.

"Of the active subscribers of an Optus service, 3,154,171 customers had their physical address accessed and 2,470,036 had identity information accessed," the filing said.

View More
  • 0 Comment(s)
Captcha Challenge
Reload Image
Type in the verification code above