June 21, 2024 at 01:44AM
Australian telco Optus suffered a data breach due to a coding error in its API access controls, exposing over nine million customers’ personal information. The breach went undetected for years, allowing an attacker to bypass access controls and retrieve customer data. Regulatory authority ACMA is pursuing Optus with civil penalties. Singtel, Optus’s owner, plans to defend the case.
Based on the provided meeting notes, the data breach at Australian telco Optus resulted from a coding error that broke API access controls and was left in place for years, leading to the exposure of over nine million customers’ personal information. The breach was discovered by the Australia’s Communications and Media Authority (ACMA), which is pursuing Optus using its regulatory powers. It was found that the coding error affected both the “Main” and “Target” domains, with the error being fixed for the Main domain in 2021 but remaining undetected on the Target domain. This allowed an attacker to bypass access controls and retrieve customer information for 9.5 million people. ACMA is seeking civil penalties in the case, while Singtel, the owner of Optus, has advised investors that it will defend the case but cannot determine the quantum of penalties.