Optus cyberattack was not highly sophisticated or one that required advanced skills – ACMA tells Federal Court

The Australian Communications and Media Authority (ACMA) has filed a claim with the Federal Court of Australia against Optus over the 2022 Cyberattack which saw the personal details of millions Australians exposed to hackers – worst of all, ACMA claims quite specifically that the cyber attack was not “Highly Sophisticated” as claimed by then Optus CEO Kelly Bayer-Rosmarin.

At the time of the hack, it was clear the scale of this was enormous, 9.5 million current and former customers personally identifiable information exposed to hackers who threatened to expose it online or sell it on the dark web.

Ms Bayer-Rosmarin was quoted at the time saying “Without saying too much, the IP address kept moving … it’s a sophisticated attack,” she said.

Well, as suspected by many at the time, that was certainly not the case – in fact the ACMA filing states specifically “The cyberattack was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge of Optus’ processes or systems. It was carried out through a simple process of trial and error.“

The case before the Federal Court will play out in September after Optus has time to respond to the claim, with ACMA requesting that they disclose the outcome of an Audit that took place after the attack, as well as generally allowing them time to consider the ACMA action.

ACMA’s claim alleges that that Optus failed to protect the information of its customers from the hack, and as such contravened Section 187A of the Telecommunications Act.

The ACMA seeks civil penalties against Optus for that failure, specifically relating to the 3.6 million active customers of Optus affected.

In the claim submitted to the Federal Court, it is outlined that Optus’ systems had vulnerabilities were traced back to a coding error that happened in September 2018.

Staggeringly, Optus detected the vulnerability in August 2021 and made a correction, but only on their main servers, that same issue was still active on another server – which of course is where the hackers obtained the data.

Critically, their failure is that that secondary server – vulnerable to attack for two years – was not decommissioned, despite there being no need for it at all.

The cyberattack occurred between September 17 2022 and September 20. The attacker simply exploited the coding error, bypassed access controls and sent continual requests to target APIs to obtain the customer data.

Optus became aware of the attack at 8pm on the 19th of September and blocked traffic to the server at 3.45am the next day.

Bottom line, this was probably the simplest hack of all time given the scale of the data exposed, and the manner in which it was accessed.

A full statement of claim will be filed in July, with Optus set to produce it’s defence by the end of August, with ACMA’s response at the start of September.

ACMA has requested the Optus produce a copy of their final report from Deloitte into the cyberattack, with the matter listed for hearing on 13 September this year.

The matter be listed for a case management hearing at 9.30 am on 13 September 2024.