Australian Privacy Regulator Takes Legal Action Against Optus Following 2022 Hack

The Australian Information Commissioner has initiated legal action against Optus, one of the country’s largest telecommunications companies, alleging the firm failed to adequately secure sensitive customer data in a significant breach that occurred in September 2022. The incident reportedly impacted nearly 10 million individuals, raising serious concerns regarding data privacy and security practices.

The regulatory body asserts that Optus did not implement reasonable safeguards over the three years leading up to the data breach. “Organizations must be incredibly alert to the considerable threats present in today’s cyber environment,” stated Australian Information Commissioner Elizabeth Tydd. Following the incident, an investigation was launched by the Office of the Australian Information Commissioner in October 2022 to evaluate the circumstances surrounding the breach.

The breach, described as one of Australia’s most severe to date, involved the unauthorized access and theft of data such as email addresses, birth dates, and phone numbers. Among the compromised data were active government ID details for 1.2 million customers, along with 17,000 valid Medicare ID numbers, according to revelations from Optus.

Should the Australian courts impose the maximum penalty of AU$2.22 million for each of the 9.5 million individuals affected, Optus could face fines totaling up to AU$21.9 trillion—an amount almost eight times larger than Australia’s gross domestic product. Such a substantial penalty underscores the gravity of the regulatory response to data privacy violations.

The hacker, identifying as “optusdata,” initially claimed responsibility for the breach, allegedly demanding AU$1 million to refrain from selling the stolen data within criminal circles. After releasing information about 10,000 customers, the hacker ultimately chose not to follow through on the threat, citing a “change of heart” and concerns over visibility. The hacker indicated that the data had been deleted, highlighting vulnerabilities in Optus’s defenses.

Reports indicate that the breach stemmed from a poorly secured database API, which could be categorized under the MITRE ATT&CK tactics of initial access and possibly exploitation of public-facing applications. A coding error dating back to 2018 reportedly resulted in the API’s lack of security controls. Notably, Optus had come close to rectifying this vulnerability in August 2021 but failed to remove the dormant API, leaving it susceptible to attack for an extended period.

An Optus spokesperson has reiterated the company’s commitment to addressing the issues surrounding the breach, offering an apology while refraining from further comment due to ongoing litigation. This incident is part of a disturbing trend, as Australia experienced a series of cyberattacks in 2022, leading to heightened scrutiny on the country’s cyber resilience and data protection frameworks.

In a related matter, the Australian Communications and Media Authority filed a separate lawsuit against Optus, citing the same errors that led to the API’s exposure. As the nation grapples with the fallout from these security breaches, senior Australian officials have publicly committed to transforming the country into the “world’s most cyber-secure nation by 2030.”