Tech

Optus cyberattack was not highly sophisticated or one that required advanced skills – ACMA tells Federal Court

The Australian Communications and Media Authority (ACMA) has filed a claim with the Federal Court of Australia against Optus over the 2022 Cyberattack which saw the personal details of millions Australians exposed to hackers – worst of all, ACMA claims quite specifically that the cyber attack was not “Highly Sophisticated” as claimed by then Optus CEO Kelly Bayer-Rosmarin.

At the time of the hack, it was clear the scale of this was enormous, 9.5 million current and former customers personally identifiable information exposed to hackers who threatened to expose it online or sell it on the dark web.

Ms Bayer-Rosmarin was quoted at the time saying “Without saying too much, the IP address kept moving … it’s a sophisticated attack,” she said.

Well, as suspected by many at the time, that was certainly not the case – in fact the ACMA filing states specifically “The cyberattack was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge of Optus’ processes or systems. It was carried out through a simple process of trial and error.

The case before the Federal Court will play out in September after Optus has time to respond to the claim, with ACMA requesting that they disclose the outcome of an Audit that took place after the attack, as well as generally allowing them time to consider the ACMA action.

ACMA’s claim alleges that that Optus failed to protect the information of its customers from the hack, and as such contravened Section 187A of the Telecommunications Act.

The ACMA seeks civil penalties against Optus for that failure, specifically relating to the 3.6 million active customers of Optus affected.

In the claim submitted to the Federal Court, it is outlined that Optus’ systems had vulnerabilities were traced back to a coding error that happened in September 2018.

Staggeringly, Optus detected the vulnerability in August 2021 and made a correction, but only on their main servers, that same issue was still active on another server – which of course is where the hackers obtained the data.

Critically, their failure is that that secondary server – vulnerable to attack for two years – was not decommissioned, despite there being no need for it at all.

The cyberattack occurred between September 17 2022 and September 20. The attacker simply exploited the coding error, bypassed access controls and sent continual requests to target APIs to obtain the customer data.

Optus became aware of the attack at 8pm on the 19th of September and blocked traffic to the server at 3.45am the next day.

Bottom line, this was probably the simplest hack of all time given the scale of the data exposed, and the manner in which it was accessed.

A full statement of claim will be filed in July, with Optus set to produce it’s defence by the end of August, with ACMA’s response at the start of September.

ACMA has requested the Optus produce a copy of their final report from Deloitte into the cyberattack, with the matter listed for hearing on 13 September this year.

The matter be listed for a case management hearing at 9.30 am on 13 September 2024.

Recent Posts

  • Tech

Best in Smart Home – The SwannBuddy 4K Video Doorbell with AI wins at the IFA Innovation Awards

The SwannBuddy4K Video Doorbell with SwannShield™AI Voice Assistant has been given an Honouree accolade for…

7 hours ago
  • Tech

360 degree security camera coverage and smart AI capabilities come to Reolink security lineup at IFA 2025

Reolink is a bit of an upstart when it comes to home security but having…

10 hours ago
  • Lifestyle

LG unveil its AI plans for your home appliances at IFA 2025

LG has announced its vision for AI-powered living at IFA 2025 under the moniker “LG…

16 hours ago
  • Tech

NBA 2K26 review: a hugely popular game just got even better

To say that NBA 2K is an institution is an understatement of significant proportions.  Even…

20 hours ago
  • Tech

Samsung unveils new Bespoke AI Washer with A-65% Energy Efficiency and Second Generation Bespoke AI Laundry Combo at IFA 2025

The appliance news keeps coming from Europes largest consumer electronics show, with Samsung showing off…

23 hours ago
  • Tech

Tineco announce new FLOOR ONE S9 Scientist with streak-free cleaning

There’s a slew of new home appliances being announced at IFA over in Berlin, and…

1 day ago