Optus Mobile has been penalized $826,320 following an investigation by the Australian Communications and Media Authority (ACMA), which uncovered 44 violations of anti-scam regulations. These breaches permitted scammers to commandeer customer mobile numbers and gain access to their bank accounts.
The infractions took place in September and October of 2024 while Optus was running the Coles Mobile service. According to ACMA, the scammers exploited a flaw in a third-party identity-verification system utilized by Optus, enabling them to circumvent necessary security protocols during mobile number transfers. Four customers experienced disruptions to their mobile services, resulting in reported financial losses totaling $39,000, alongside incidents of identity theft.
Samantha Yorke, an ACMA Authority Member, underscored the serious repercussions stemming from vulnerabilities in telecommunications identity-verification procedures. Describing the lapse as “inexcusable,” she emphasized that scammers proactively seek out systemic weaknesses, highlighting the critical role robust verification processes play in safeguarding consumers.
While the issue was addressed promptly, ACMA exercised its authority to impose the maximum fine permissible for such breaches. The agency has recognized mobile number fraud as an enforcement priority, delivering over $1.9 million in penalties over the previous year for violations of the Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020.
ACMA has urged consumers to take immediate action by contacting their telecom provider and financial institution if they suspect their mobile number may have been compromised or if they fall victim to a phone-based scam.
—
In this case, Optus Mobile serves as the target of the breaches, which originated from vulnerabilities within their operational framework in Australia. The incident raises concerns regarding the integrity of identity-verification systems, which are crucial to maintaining the security of consumer information.
From a cybersecurity perspective, potential MITRE ATT&CK tactics and techniques relevant to this incident could include techniques for initial access, where adversaries could have infiltrated through manipulating identity verification processes. Additionally, persistence may have been achieved by maintaining control over the compromised mobile numbers, while privilege escalation can be inferred as scammers potentially gaining unauthorized access to sensitive financial account information. These tactics underscore the vital need for businesses to implement more robust cybersecurity protocols to thwart such attacks and protect consumer assets effectively.
