Optus could have prevented a data hack that leaked the details of about nine and a half million Australians four years prior, the Australian telecommunications watchdog alleges.
The Australian Communications and Media Authority made the claims in a filing to the Federal Court, where it has lodged an action against Optus for failing to protect its customers' personal information during a data breach in 2022.
The cyber attack meant hackers likely made away with the passport and drivers licence numbers of 2.8 million people.
Optus said it intends to defend the allegations.
In its filing, ACMA outlined how it alleged the cyber attack took place.
"Optus' failure was due to a coding error which it did not detect during (and for four years prior to) the [September 17 to 20, 2022]," the authority claimed.
"As a result the personally identifiable information of more than nine and a half million former and current customers of Singtel Optus Pty Limited and its subsidiaries were accessed by a cyber attacker."
ACMA said it would seek civil penalties against Optus for its alleged failure.
Vulnerable domain left 'dormant'
The Federal Court filing detailed a number of "vulnerabilities" ACMA believed the Optus system to have.
It said two of the company's domains had the same coding error for one of its access controls, which left it open to cyber attack.
But ACMA said at one point Optus noticed the error and fixed it — but only on one of its domains.
The other was still left vulnerable.
"Optus has the opportunity to identify the coding error at several stages in the preceding four years," the filing said.
"The [domain] was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it."
Despite then-Optus chief executive Kelly Bayer Rosmarin referring to the attack as 'sophisticated' at the time, ACMA said they disputed the claim.
"The cyber attack was not highly sophisticated or one that required advanced skills or propriety or internal knowledge of Optus' processes or systems," the filing said.
"It was carried out through a simple process of trial and error."
The authority also detailed the harm that had since come from the attack, and said the number of people targeted in the attack was just over a third of Australia's population.
"Of the active subscribers of an Optus service, 3,154,171 customers had their physical address accessed and 2,470,036 had identity information accessed," the filing said.
"The cyber attack led to the personally identifiable information of approximately 10,200 Singtel Optus customers being published on the dark web."
What does Optus say?
Optus interim chief executive Michael Venter said the telco still deeply regrets the cyber attack, and customers had a right to believe their data would be kept safe.
However he said the attack was 'motivated and determined'.
"The cyber attack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defences that arose from a historical coding error," he said.
"This vulnerability was exploited by a motivated and determined criminal as they probed our defences, and then exploited and evaded these defences by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data.
"The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection."
He said Optus had since worked to address the vulnerability and continue to invest in cyber defences.
"Optus recognises that we still have much to do to fully regain our customers’ trust and we will continue to work tirelessly towards this goal," Mr Venter said.
"Optus will continue to cooperate with the ACMA on this matter, although it intends to defend this action and where necessary, correct the record.
"It will ultimately be a matter for the Federal Court to determine whether there has been any breach or the appropriateness of any sanctions against Optus."
The next hearing in the Federal Court is set to take place in September.