Optus data breach (millions of customers affected)
What happened
On 22 September 2022, Australian telecommunications provider Optus disclosed that it had been the target of a cyberattack exposing the personal information of a large number of current and former customers. Reporting and subsequent regulatory filings indicate that records of roughly 9.5 to 9.8 million people were accessed. Exposed data included names, dates of birth, phone numbers, email addresses and, for a subset of customers, home addresses and identity-document numbers such as passport and driver-licence numbers. Optus stated that around 2.1 million customers had identity-document numbers compromised.
The Australian Communications and Media Authority (ACMA) later alleged in Federal Court proceedings that the breach stemmed from a historical access-control coding error affecting an exposed application programming interface (API), which allowed customer records to be retrieved without authentication. Shortly after the breach, a person claiming responsibility posted sample customer records online and sought a ransom payment, threatening to release further data; that demand was later withdrawn. Separately, an individual was arrested over attempts to extort affected customers directly. The incident prompted investigations by the Office of the Australian Information Commissioner (OAIC) and the ACMA, examining whether Optus took adequate steps to protect personal information.
Assessment
Available reporting and regulatory filings characterise this as a criminal data breach exploiting an exposed, inadequately protected API; there is no established attribution to any state actor, and such an inference would be unsupported. The exposure of identity-document numbers heightened identity-fraud and phishing risks for affected individuals, prompting document reissuance and credit-monitoring measures. The episode drew significant regulatory and legal scrutiny in Australia and contributed to wider debate over data-retention and security obligations for telecommunications providers. Specific technical and liability findings remained subject to ongoing legal proceedings.
This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.