Optus sign hanging in front of a store showing Optus data breach due to coding error in access control

Australian Authorities Trace Optus Data Breach to Access Control Coding Error, May Seek Hundreds of Millions in Penalties

The final amount of penalties that Optus will pay for its massive 2022 breach remains up in the air as the Australian Communications and Media Authority (ACMA) prepares a court case against the telco giant. A statement of claim attached to mandatory court filings reveals that the agency will frame the Optus data breach as a case of negligence, asserting that the company failed to address an access control coding error that it had known about for some years.

An unauthenticated API was publicly disclosed by the attacker after they began offering the company’s stolen data for sale, noting that it was open on the internet for anyone to make use of in the same way. The API endpoint had been intended for Optus customer use in accessing their own account data, but a coding error essentially allowed attackers to cycle through URL numbers and pull up customer information without authentication. The Optus data breach was one of the largest in Australia’s history, exposing personal information for about 10 million customers (over a third of the country’s total population).

2022 Optus data breach still hangs over company’s head, penalties could be heavy

The ACMA will contend in court that the Optus data breach was a violation of the company’s consumer data protection obligations. That argument hinges on proving that the company negligently failed to address the API access controls after a coding error made one that was internet-facing vulnerable.

The agency notes that Optus internally caught this same coding error when it impacted the main company website (www.optus.com.au) in 2021. It argues that the company reasonably should have noticed the same coding error present in the vulnerable access control, which was hosted on a subdomain, and in fact had three specific chances to do so that it passed up prior to the September 2022 Optus data breach.

Optus has confirmed that the access control coding error existed and was exploited by the attacker, and has said that it will continue to cooperate with the ACMA. But it also indicated that it will defend itself in court and that it does not agree that the coding error was a matter of negligence.

The ACMA’s case does not appear to involve a digital forensics report commissioned by Optus from auditing and risk management firm Deloitte, which it had been attempting to keep private. In late May, the country’s Federal Court ruled against Optus and ordered portions of the report made available to attorneys for a class action case against the company. Though the report is not protected by legal privilege in terms of court proceedings, it remains unavailable to the general public.

Substantial costs related to the Optus data breach have already been paid, including the reimbursement of over 20,000 of its current and former customers that were forced to replace identity documents. The company has also paid some government agencies for costs related to the breach as well. Millions of dollars more in fines could be forthcoming pending the outcome of this court case, however; the ACMA is alleging that Optus committed 3.6 million violations of the Telecommunications Act (one for each of its active customers at the time) and each of those violations carries a maximum penalty of $250,000, or a total of $900 million if the absolute maximum penalty was sought.

Access control coding error went undetected for years

The access control API was put in place in 2017, and the update that induced the coding error in the main site took place in 2018. That left three years until the company spotted the issue on its main domain, and four years until the Optus data breach took place due to the subdomain going unaddressed. The ACMA’s case cites the three specific opportunities that Optus had to address the coding error as being just after the September 2018 release of the update, when the subdomain that was eventually compromised was made internet-facing in June 2020, and when the main site’s access control issue was discovered in August 2021.

The Optus data breach was extremely damaging to its victims. Over 2.4 million had highly sensitive personal information like driver’s license or passport and Medicare numbers accessed, and at least 3.1 million had their home addresses leaked. Nearly all of the victims had names, dates of birth, phone numbers and email addresses leaked. A run of high-profile incidents of this sort extending from 2022 into 2023 prompted the Australian government to swiftly strengthen data protection law and cybersecurity requirements, measures that included stepping up the timetable for reform of the Privacy Act 1988 and major increases in potential fines for companies found to be negligent in data handling and security.