ACMA alleges Optus failed to protect its customer data

Optus had at least three opportunities to identify and rectify this vulnerability before it got exploited.
27 June 2024
Image by CyberBeat

The Australian Communications and Media Authority (ACMA) is alleging that Optus failed to protect its customer data. 

This data breach was due to an unprotected API endpoint left open to the internet. 

ACMA claims that there were control measures in place for the API, but a coding error weakened one, making it possible to bypass. This error was further exploited because the API endpoint was both internet-facing and inactive for a long period.

The coding error was noticed by Optus in August 2021, but only on its primary website, www.optus.com.au. Optus did not fix the same issue for the API endpoint located on a subdomain. 

ACMA believes that Optus had at least three opportunities to identify and rectify this vulnerability before it got exploited.

The endpoint was taken offline on September 21, 2022, just four days after the data breach was uncovered. 

A detailed forensic study by Deloitte is likely to reveal more technical specifics of the breach. This report is also expected to feature in a separate class-action lawsuit filed against Optus.

ACMA released a concise statement, redacting specific system and technology names. 

Optus' interim CEO, Michael Venter, said that Optus will continue cooperating with ACMA and will defend their position in the Federal Court case.

- CyberBeat

 

About CyberBeat

CyberBeat is a grassroots initiative from a team of producers and subject matter experts, driven out of frustration at the lack of media coverage, responding to an urgent need to provide a clear, concise, informative and educational approach to the growing fields of Cybersecurity and Digital Privacy.

Contact CyberBeat

If you have a story of interest, a comment, a concern or if you'd just like to say Hi, please contact us

Terms & Policies >>

Sponsors

We couldn't do this without the support of our sponsors and contributors.