Data leak
Wikipedia / UpGuard / ACMA / SecurityScorecard
Primary Source βIncident Details
Australian telco Optus exposed an unauthenticated internet-facing API due to coding error from 2018 not fully remediated. Attacker used simple trial-and-error over 3 days in Sept 2022 to enumerate customer records. 9.8M customers affected; 2.1M had identity documents stolen (1.2M valid ID numbers). Data included names, DOBs, addresses, phone numbers, email, passport and driver’s license numbers. Brief ransom demand of AUD$1.5M posted then retracted. ACMA sued Optus. Australian Privacy Act reforms accelerated.
Technical Details
- Initial Attack Vector
- CWE-306: Missing Authentication for Critical Function (internet-exposed API with no authentication due to 2018 coding error not remediated on sub-domain)
- Vendor / Product
- Optus telecommunications customer portal
Timeline
- 2022-09-19 Breach occurred
- 2022-09-22 Publicly disclosed
- 2022-09-22 Customers notified