Optus Disputes Severity Of Cyberattack

Optus, which was the target of a 2022 cyberattack that threatened the personal information of more than 9 million of its customers, has disputed the Australian communication regulator’s assessment of the attack as having not been “highly sophisticated.”

The telco is in the midst of a Federal Court battle against the Australian Communications and Media Authority (ACMA), after the latter alleged that the Singaporean-owned company did not protect customers’ confidential information before being hit by a cyberattack between September 17-20, 2022.

In its statement of claim filed last week, ACMA alleges the hack was “not a highly sophisticated cyberattack and did not require advanced skills” and that it was “carried out through a process of trial and error”, reported the Australian Financial Review.

The telco meanwhile contests that view and said, “The cyber-attacker commenced the cyberattack with a high degree of knowledge of Optus’ systems, including certain [redacted] that were proprietary and confidential to Optus.”

Details of Optus’ defence released by the courts have been redacted, including in which databases the customers’ personal information was stored.

Also, information on the company’s security measures and how the cyberattacker avoided detection alerts was also redacted.

ACMA alleges that a publicly accessible internet domain, known as the “target domain” was readily identifiable by examining Optus’ web or mobile sites.

“From 12 July 2018, a post on the website GitHub.com identified the target domain and code to retrieve data using one of the target APIs [application programming interfaces],” ACMA said.

The cyberattack was reportedly able to access customers’ personal information due to a coding error in September 2018 that did not adequately protect the target domain (api.www.optus.com.au) as well as the main Optus domain (www.optus.com.au), ACMA claims.

The telco says that the cyberattacker could read the data for some 9.5 million people stored in Singtel Optus databases, and that the data of 10,198 individuals was published on the internet.

While acknowledging that its mobile business collected personal information from its customers, it denied that it “held” information such as driver’s licence numbers, Medicare card numbers, birth certificate details and names and addresses.

“The personal information was stored in databases owned by Optus Systems Pty Limited, another entity in the Optus group of companies, accessible to and by Optus Mobile for authorised purposes,” the company said.

ACMA claims Optus’ actions breached the Australian Telecommunications Act on at least 3.6 million occasions. Each contravention carries a maximum penalty of $250,000.

A further twist in the entire saga resulted when Optus hired Deloitte to undertake an independent external review of the cyberattack and its security systems, controls and processes, but then began a court battle to stop Deloitte’s report from being released as part of class action proceedings brought by Slater & Gordon on behalf of the telco group’s customers.

Optus has already lost that court fight to keep Deloitte’s report under wraps and while that report will not be publicly released, some of the information in the report could become public by way of the class action proceedings.

The court has ordered copies of not only the Deloitte report, but another report investigating the matter prepared in December 2022 by US cybersecurity firm Mandiant, a subsidiary of Google.

Apart from the 2022 incident, the telco also faced an unplanned outage towards the end of last year. It incurred a $480 million annual net loss for the 12 months to March 31 this year, six times more than the previous year’s $79 million loss.