ACMA alleges that a coding error, described as not advanced, caused the Optus data breach affecting 9.5 million Australians.

Hackers managed to obtain personal information for millions of current and former Optus customers through an attack exploiting a coding error, according to Australia’s telecommunications watchdog. The Australian Communications and Media Authority (ACMA) has alleged that Optus could have fixed a simple coding mistake four years before hackers accessed the personal details of millions of customers.

In documents filed with the Federal Court, ACMA outlined how the cyber attack in September 2022 occurred and highlighted Optus’s alleged failures to detect or rectify the vulnerability. The breach affected approximately 9.5 million individuals, exposing details such as names, dates of birth, phone numbers, and email addresses over a three-day period. Additionally, personal information of around 10,200 people was subsequently published on the dark web.

ACMA’s claim asserts that a coding error dating back to September 2018 left a dormant web API vulnerable when it became accessible on the internet in June 2020. Optus allegedly identified and corrected a vulnerability on its main website in August of the following year but failed to notice the same issue affecting the second system.

“The target domain remained dormant and vulnerable to attack for two years without being decommissioned despite no longer being needed,” the filing stated.

ACMA contends that Optus had multiple opportunities over the preceding four years to identify the coding error before the breach occurred. The regulatory authority is seeking penalties, claiming that Optus violated the Telecommunications Act at least 3.6 million times, corresponding to the estimated number of active subscribers at the time.

Each proven breach carries a potential penalty of up to $250,000, totaling a maximum of $900 million. Optus has expressed its intention to defend against the allegations, having previously apologized to customers and reimbursed costs related to new identity documents.

Interim CEO Michael Venter acknowledged the breach, stating, “Our customers expected their information to remain secure, and we regret that this did not happen.” He attributed the attack to a determined criminal who exploited the vulnerability using multiple IP addresses to evade detection.

Venter emphasized Optus’s ongoing investment in cybersecurity defenses amid a heightened global risk environment and reiterated the company’s commitment to cooperating with ACMA while preparing to contest the legal action in court. The next steps in the case are scheduled for a case management hearing before Justice Jonathan Beach in September.