Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

ACMA says coding error to blame for Optus cyber attack

The Australian Communications and Media Authority (ACMA) has claimed that the Optus breach of 2022 was the result of a coding error that allowed open access to an API.

user icon Daniel Croft
Fri, 21 Jun 2024
ACMA says coding error to blame for Optus cyber attack
expand image

As revealed in a statement published yesterday (20 June), the ACMA will claim in court that while Optus had controls in place to protect the API from threats, a coding error made those controls bypassable and the API accessible.

“Optus’ failure was due to a coding error which it did not detect during (and for four years prior to) the [data breach period],” the ACMA said in a statement to the Federal Court.

“As a result, the personally identifiable information of more than 9.5 million former and current customers of Singtel Optus Pty Limited and its subsidiaries was accessed by a cyber attacker.”

============
============

The ACMA also claims that the API was vulnerable through two different domains (www.optus.com.au and api.www.optus.com.au, respectively), which it refers to as the main and target domains, from 20 April 2017.

While Optus identified the issue and patched it for the main domain in August 2021, it did not “detect or fix that same issue which affected the target domain”.

Prior to the latest claims, the breach was believed to be the result of an unauthenticated API endpoint that was freely accessible online.

Speaking with ITNews, Optus confirmed the vulnerability.

“The cyber attack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defences that arose from a historical coding error,” said Optus interim CEO Michael Venter.

“This vulnerability was exploited by a motivated and determined criminal as they probed our defences, and then exploited and evaded these defences by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data.

“The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.”

Optus said the vulnerability was pulled offline four days after the attack on 21 September 2022.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.