Access Control Coding Error Allegedly Leads to Optus Breach

The Australian Communications and Media Authority (ACMA) has provided detailed technical insights into the Optus data breach, attributing the incident to a coding error in access control mechanisms. This error allegedly left an Application Programming Interface (API) vulnerable, enabling unauthorized access to customer data.

The ACMA's statement of claim, attached to court orders, outlines the argument that Optus failed to protect customer data adequately. The breach had previously been linked to an internet-facing, unauthenticated API endpoint. The ACMA’s claim confirms this but adds that while Optus had access controls in place, a code change inadvertently weakened one control, making it bypassable. This API endpoint was both exposed to the internet and dormant for an extended period, compounding its vulnerability.

Optus became aware of the coding error in August 2021, nearly three years after it was made, but only addressed it on its main site, www.optus.com.au, not on the API endpoint on a subdomain. The ACMA alleges that Optus had at least three opportunities to identify and fix the issue affecting the API endpoint before it was exploited. The endpoint was taken offline on September 21, 2022, four days after the breach was discovered.

In response to the ACMA’s documents, Optus interim CEO Michael Venter acknowledged the coding error and the resultant vulnerability. Venter explained that a sophisticated and motivated criminal exploited the flaw by probing Optus' defenses, mimicking regular customer activities, and using tens of thousands of different IP addresses to avoid detection. Following the attack, Optus rectified the vulnerability, reviewed its systems and processes, and made further investments to bolster its cyber defenses in response to the heightened global cyber risk environment. Venter stated that Optus is committed to cooperating with the ACMA in the ongoing Federal Court case and intends to defend its actions and correct the record where necessary.

The ACMA is expected to gain additional technical details through a forensic report prepared by Deloitte, which will be provided by the end of the week. This report is also being handed over in a separate class action against Optus, despite attempts to keep it confidential. The ACMA’s concise statement includes redactions around specific system and technology names, reflecting the sensitivity of the information.

Following the breach, Optus has reimbursed 20,071 current and former customers for the cost of replacing identity documents and is also covering costs incurred by government agencies for these replacements. Venter expressed deep regret over the incident, acknowledging that Optus failed to meet customer expectations for data security. The case is scheduled for a management hearing on September 13.

The ACMA’s filing reveals significant details about the technical failures and security lapses that led to the Optus data breach. It highlights the importance of robust access controls and regular security audits to prevent such incidents in the future. The breach underscores the need for comprehensive security measures to protect customer data, particularly in an era where cyber threats are becoming increasingly sophisticated.

The ACMA’s argument centers on the assertion that Optus had access controls in place but a code change weakened one of these controls, allowing it to be bypassed. The API endpoint was exposed to the internet and remained dormant for a long time, making it a prime target for exploitation. Optus detected the coding error on its main site in August 2021 but did not identify the same issue on the API endpoint. The ACMA claims that Optus had multiple opportunities to recognize and fix the vulnerability affecting the API endpoint before it was exploited. The endpoint was eventually taken offline after the breach was discovered.

Optus’ response to the ACMA’s documents includes an acknowledgment of the coding error and the resultant vulnerability. Venter explained that a determined criminal exploited this flaw by mimicking regular customer activities and using numerous IP addresses to evade detection. Following the attack, Optus addressed the vulnerability, reviewed its systems and processes, and invested in enhancing its cyber defenses to counter the elevated global cyber risk environment. Venter emphasized Optus’ commitment to cooperating with the ACMA in the ongoing Federal Court case, stating that the company intends to defend its actions and correct the record where necessary.

The ACMA is expected to access additional technical details through a forensic report prepared by Deloitte, which will be available by the end of the week. This report is also being provided in a separate class action against Optus, despite attempts to keep it confidential. The ACMA’s concise statement includes redactions around specific system and technology names, reflecting the sensitivity of the information.

In the wake of the breach, Optus has reimbursed over 20,000 current and former customers for the cost of replacing identity documents. The company is also covering costs incurred by government agencies for these replacements. Venter expressed deep regret over the breach, acknowledging that Optus failed to meet customer expectations for data security. The case has been scheduled for a management hearing on September 13.

Overall, the ACMA’s filing sheds light on the technical failures and lapses in security protocols that led to the significant data breach at Optus. The details underscore the importance of robust access controls and regular security audits to prevent similar incidents in the future. Optus’ response to the breach, including system reviews and increased investments in cybersecurity, reflects a broader industry recognition of the need to adapt to evolving cyber threats and safeguard customer data.

The ACMA's claim also highlights the broader implications of such security breaches. The failure to protect customer data not only undermines customer trust but also exposes companies to significant legal and financial repercussions. The detailed technical insights provided in the ACMA's filing serve as a reminder of the critical need for continuous vigilance, regular security audits, and robust access controls in protecting sensitive customer information. The case against Optus underscores the importance of comprehensive security measures in preventing data breaches and maintaining customer trust in an increasingly digital world.