Share this article on:
The Australian Communications and Media Authority (ACMA) has claimed that the Optus breach of 2022 was the result of a coding error that allowed open access to an API.
As revealed in a statement published yesterday (20 June), the ACMA will claim in court that while Optus had controls in place to protect the API from threats, a coding error made those controls bypassable and the API accessible.
“Optus’ failure was due to a coding error which it did not detect during (and for four years prior to) the [data breach period],” the ACMA said in a statement to the Federal Court.
“As a result, the personally identifiable information of more than 9.5 million former and current customers of Singtel Optus Pty Limited and its subsidiaries was accessed by a cyber attacker.”
The ACMA also claims that the API was vulnerable through two different domains (www.optus.com.au and api.www.optus.com.au, respectively), which it refers to as the main and target domains, from 20 April 2017.
While Optus identified the issue and patched it for the main domain in August 2021, it did not “detect or fix that same issue which affected the target domain”.
Prior to the latest claims, the breach was believed to be the result of an unauthenticated API endpoint that was freely accessible online.
Speaking with ITNews, Optus confirmed the vulnerability.
“The cyber attack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defences that arose from a historical coding error,” said Optus interim CEO Michael Venter.
“This vulnerability was exploited by a motivated and determined criminal as they probed our defences, and then exploited and evaded these defences by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data.
“The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.”
Optus said the vulnerability was pulled offline four days after the attack on 21 September 2022.