The Australian Information Commissioner (AIC) has launched civil action against Optus for a 2022 data breach that exposed the personal details of 9.5 million Australians. The breach involved sensitive personally identifiable information, including names, dates of birth, home addresses, phone numbers, email addresses, and government-related identifiers such as passport numbers, driver’s licence numbers, and Medicare card numbers. The attackers exploited a misconfigured API to access the dataset without authentication and issued a ransom demand. Although Optus prevented the theft of payment details and account passwords, a portion of the stolen data was leaked online. The AIC alleges Optus failed to take reasonable steps to protect the data, potentially facing significant financial penalties.
Source: https://www.infosecurity-magazine.com/news/australian-regulatory-sues-optus/
TPRM report: https://www.rankiteo.com/company/optus
"id": "opt448080825",
"linkid": "optus",
"type": "Breach",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '9.5 million',
'industry': 'Telecommunications',
'location': 'Australia',
'name': 'Optus',
'size': 'Large',
'type': 'Telecommunications'}],
'attack_vector': 'Misconfigured API',
'customer_advisories': 'Public apology and statement',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '9.5 million',
'personally_identifiable_information': 'Names, dates of '
'birth, home '
'addresses, phone '
'numbers, email '
'addresses, '
'government-related '
'identifiers (passport '
'numbers, driver’s '
'licence numbers, '
'Medicare card '
'numbers, birth '
'certificate '
'information, marriage '
'certificate '
'information, armed '
'forces, defence force '
'and police '
'identification '
'information)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally identifiable '
'information'},
'date_detected': '2022-09',
'date_publicly_disclosed': '2022-09',
'description': 'The Australian Information Commissioner (AIC) has launched '
'civil action against Optus for a 2022 data breach that '
'exposed the personal details of 9.5 million Australians. The '
'lawsuit alleges that Optus failed to take reasonable steps to '
'protect victims’ personal information from unauthorized '
'access and disclosure, in breach of Australia’s Privacy Act '
'1988.',
'impact': {'brand_reputation_impact': 'Significant',
'data_compromised': 'Personal details of 9.5 million Australians',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential civil penalty order',
'payment_information_risk': 'None (payment details and account '
'passwords were not stolen)'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Misconfigured API'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Organizations holding personal information need to ensure '
'they have strong data governance and security practices '
'to guard against vulnerabilities that threat actors will '
'be ready to exploit.',
'motivation': 'Financial gain (ransom demand)',
'post_incident_analysis': {'corrective_actions': 'Investing in the security '
'of customers’ information, '
'systems, and cyber defence '
'capabilities',
'root_causes': 'Misconfigured API and inadequate '
'security practices'},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
'references': [{'date_accessed': '2024-08-08',
'source': 'Australian Information Commissioner'}],
'regulatory_compliance': {'legal_actions': 'Civil penalty order sought by AIC',
'regulations_violated': 'Australia’s Privacy Act '
'1988'},
'response': {'communication_strategy': 'Public apology and statement',
'incident_response_plan_activated': True},
'title': 'Optus Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Misconfigured API'}