Optus says it will defend allegations it failed to protect confidential details of 9 million customers in cyber attack

Optus says it will defend allegations it failed to protect confidential details of 9 million customers in cyber attack
  • PublishedMay 24, 2024

Optus will fight allegations from Australia’s communications watchdog that it failed its customers two years ago when a cyber attack led to the leaking of their passport numbers, drivers licence details and personal addresses online.

The September 2022 cyber attack threatened the personal information of more than 9 million Optus customers.

The Australian Communications and Media Authority (ACMA) lodged the action against Optus in the Federal Court of Australia on Monday, and released a short statement:

“We allege that during a data breach which occurred between 17 to 20 September 2022, Optus failed to protect the confidentiality of its customers’ personal information from unauthorised interference or unauthorised access as required under the Telecommunications (Interception and Access) Act 1979 (Cth),” the statement said.

“As this matter is now before the court, the ACMA will not be making any further statements at this time.”

Optus said it would look to defend the allegations, but could not comment further.

The data breach caused Prime Minister Anthony Albanese to call for stricter cyber security laws and attracted criticism from federal authorities.

Optus CEO Kelly Bayer Rosmarin resigned a year later.

Two years on, the full fallout from the cyber attack remains unknown.

How did we get here?

Optus reportedly noticed suspicious activity in its servers on September 20, and sounded the alarm publicly 24 hours later.

While details were scant, the company confirmed cybercriminals had broken into its database of customer information and had access to the home addresses, drivers licences and passport numbers of customers.

Ms Bayer Rosmarin said they were working to resolve the breach as soon as possible.

a woman sitting down just about to do an interview
Kelly Bayer Rosmarin defends Optus’ handling of the data breach in late September 2022. (ABC News)

“It’s just too early for us to give specific numbers. It is a significant number and we want to be absolutely sure when we come out and say how many [customers have been affected],” she said.

She said in a worst case scenario, as many as 9.8 million accounts could have been compromised.

“I’m angry that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it … and I’m very sorry,” Ms Bayer Rosmarin said.

Optus shut down the attack and reported the breach to Australian authorities.

The Australian Federal Police launched a criminal investigation, and ACMA launched its own inquiry into the breach.

A ransom note

As the true scale of the attack became clear, Ms Bayer Rosmarin confirmed the hackers likely made away with the passport and drivers licence numbers of 2.8 million people.

She said the attack had likely been coordinated offshore, with the IP address associated with the account moving between unspecified locations in Europe.

Federal police began monitoring the dark web to track any sale of Optus customers details, and soon a curious post appeared on the website BreachForums.

According to Reuters, the user, known as “optushack”, threatened to publish the data of 10,000 Optus customers a day unless they received $1 million in cryptocurrency.

They published about 100 records to verify their claim, and cyber security experts told the ABC at the time they believed the data to be legitimate.

The user said the company had a week to pay, but later retracted the threat due to “too many eyes” and apologised for having already leaked the data of 10,200 Australians.

Neither the AFP or offshore law enforcement agencies have verified the claims by optushack.

Who’s to blame?

Optus has repeatedly apologised for the breach – even taking out full page advertisements in the country’s major newspapers to reach its customers.

“We’re deeply sorry that a cyber attack has happened on our watch,” it read.

“We know this is devastating and that we’ll need to work hard to regain your trust.”

However Ms Bayer Rosmarin later told ABC Radio Optus “were not the villains”, and the company had “multiple layers of protection in place” for customer information.

She said the company had not done anything deliberate to put data at risk, and it had been sophisticated attack.

The company has also drawn criticism from the federal government over its handling of customer information.

Home Affairs Minister Clare O’Neil said the telco had “left the window open” for cybercriminals.

Optus's full page ad in a newspaper, which says "we're deeply sorry"
Optus’ full page advertisement in The Australian on October 1, 2022. (ABC News: Dannielle Maguire)

“The telecommunications sector [previously] said, ‘Don’t worry about us, we’re really good at cyber security, we’ll do it without being regulated,’ and I would say that this incident really calls that into question,” Ms O’Neil said.

She later told parliament the breach should not have happened.

“Responsibility for the security breach rests with Optus and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” Ms O’Neil said.

What does Optus say?

The ACMA has already fined the telco $1.5 million over the breach following its investigation, and lodged the documents in the Federal Court earlier this week.

An Optus spokesman said the company was aware of the filing.

“At this stage, Optus Mobile is not able to determine the quantum of penalties, if any, that could arise,” he said.

“Optus has previously apologised to its customers and has taken significant steps, including working with the police and other authorities, to protect them.

A woman uses her phone outside an Optus store as a man looks at his.
Optus said it had contacted customers impacted by the breach and was helping them with ID protection.(AAP: Dan Peled)

“It also reimbursed customers for the cost of replacing identity documents.

“Optus intends to defend these proceedings.

“As the matter is now before the courts, Optus is unable to make any further comment.”

Law firm Slater and Gordon has also lodged the class action in the Federal Court on behalf of more than 100,000 registered participants.


Leave a Reply

Your email address will not be published. Required fields are marked *