New court fillings expose allegations of the communications authority claiming cyber attack was carried out "through a simple process of trial and error.” Credit: Supplied Art (with Permission) The Australian Communications and Media Authority (ACMA) has alleged the Optus data breach of September 2022 happened due to a coding error which Optus did not detect between September 17 and 20 2022 and for four years before that. ACMA filed a document with the allegations with the Victoria Registry of the Federal Court of Australia on June 19. However, these are not based on the Deloitte report commissioned by Optus, which the telecommunications provider had until today to hand to the communications authority. Coding error allowed API access to customer data A system was created to allow Optus customers to retrieve their data. This was done in many ways including through APIs accessible from www.optus.com.au — main domain — and api.www.optus.com.au — the target domain. This was initially only possible once a customer was authenticated. Days after the breach, the ABC reported that this was the cause of the breach which Optus refuted at the time. From 20 April 2017, the target domain was internet facing and access to the APIs was secured. The trouble started in September 2018 when a coding error was introduced to one of the access controls, which, ACMA alleges in the redacted document, left these access controls ineffective for both domains. “This left these domains vulnerable to attack once both domains became internet-facing with the coding error in June 2020.” Optus detected the coding error that left the main domain vulnerable in August 2021 and fixed it but did not apply the same to the target domain. The coding error remained active until Optus identified the breach in September 2022. ACMA alleges Optus had three opportunities to identify the error prior to the data being exfiltrated but failed to do so. “When the coding change was released into a production environment following review and testing in September 2018; when the target domain (and the main domain) became internet-facing through the production environment in June 2020; and when the coding error was detected for the main domain in August 2021.” “The Target Domain was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it.” In a statement sent to media outlets, Optus confirmed the cyberattack resulted from the “cyber attacker being able to exploit a previously unknown vulnerability in our defences that arose from a historical coding error.” The cyberattacker exploited the coding error enabling it to bypass access controls and send requests to the target APIs which returned customer data. More damming is ACMA’s allegation that the cyber attack was not highly sophisticated or required advanced skills or knowledge of Optus’s internal processes. “It was carried out through a simple process of trial and error.” Optus claimed that the vulnerability was exploited by a motivated and determined criminal “as they probed our defences, and then exploited and evaded these defences by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data. The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.” ACMA’s proceedings against Optus On 20 May 2024, ACMA filed proceedings in the Federal Court against Optus alleging that during the data breach between 17 to 20 September 2022, Optus failed to protect the confidentiality of its customers’ personal information from unauthorised interference or unauthorised access as required under the Telecommunications (Interception and Access) Act 1979. The breach saw the records of 9.5 million former and current Optus customers accessed. Of those, 3.6 million were active mobile subscribers, and it is in relation to these customers that ACMA seeks penalties for the contraventions. The cyberattack led to the personally identifiable information of approximately 10,200 Optus customers being published on the dark web. Of Optus active subscribers, more than 3.1 million had their physical address accessed and more than 2.4 million had identity information such as passport, driver’s licence and Medicare numbers accessed. Related content news analysis New Intel CPU side-channel attack Indirector can leak sensitive data The Indirector attack discovered by University of California San Diego researchers focuses on the indirect branch predictor of a CPU. By Lucian Constantin Jul 05, 2024 5 mins Advanced Persistent Threats Threat and Vulnerability Management Vulnerabilities news Over 35,000 Ether subscribers targeted in a campaign from crypto draining Users were sent phishing emails linking to a website revealed to be a crypto drainer. By Shweta Sharma Jul 05, 2024 3 mins Data Breach feature Logic bombs explained: Definition, examples, prevention A logic bomb is malicious code that waits for the right time or opportunity to strike. Some infamous examples show the potential for damage. By Josh Fruhlinger Jul 05, 2024 12 mins Malware Cybercrime Security news Europol disrupts about 600 abusive Cobalt Strike servers The coordinated operation took down 593 IP addresses, which were flagged for abuse of the legitimate pen-testing software. By Shweta Sharma Jul 04, 2024 3 mins Hacking Penetration Testing PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe