2022 Optus data breach

In September 2022, Australian telecommunications company Optus suffered a data breach that affected up to 10 million current and former customers comprising a third of Australia's population. Information was illegally obtained, including names, dates of birth, home addresses, telephone numbers, email contacts, and numbers of passports and driving licences. Conflicting claims about how the breach happened were made; Optus presented it as a complicated attack on its systems while an Optus insider and the Australian Government said a human error caused a vulnerability in the company's API. A ransom notice asking for A$1,500,000 to stop the data from being sold online was issued. After a few hours, the data thieves deleted the ransom notice and apologised for their actions.

Government figures, including Home Affairs and Cyber Security Minister Clare O'Neil, and Minister for Government Services Bill Shorten, criticised Optus for its role in the attack, and for being uncooperative with government agencies and the public. The government announced legislation, including the allowance of information-sharing with financial services and government agencies, and reforms to Australia's laws on security of critical infrastructure to help the government act in the event of future breaches. In response to the data breach, Optus agreed to pay for the replacements of compromised passports, commissioned an external review, and gave seriously affected customers a subscription to a credit monitoring service. Optus also apologised for the breach. Customers criticized Optus for not being responsive and providing inadequate responses to those affected. As of June 2023, investigations into the breach and a class-action lawsuit from affected customers were ongoing.

Background
Optus, an Australian telecommunications company owned by Singtel, was founded in 1981 with the formation of the government-owned satellite-communications company AUSSAT. AUSSAT was privatised in 1991 and sold to a consortium that included Mayne Nickless and AMP. In 2022, Optus was Australia's third-largest telecommunications company with a 13.1% market share. In September 2022, Optus had around 10 million customers, comprising more than a third of Australia's population of around 26.12 million people.

Breach
On 20 September 2022, Optus's technical team noticed and investigated suspicious activity on its network. The next day, Optus's systems were found to have sustained a data breach and regulators were informed. On 22 September, the company publicly announced the data breach and informed news agencies. Optus advised the public to be vigilant for potential fraudulent activity but stated it did not know whether the breach had caused any harm to customers. Optus did not state how many customers were affected or whether the theft of data had caused harm. Illegally obtained Information included names, dates of birth, home addresses, telephone numbers, email contacts, and passport and driving-licence numbers.



On 23 September, Optus denied an insider's claims a mistake in which its application programming interface (API) had accidentally been left exposed to a test network that had access to the Internet had occurred. The company also said a complicated breach had occurred and that it had a strong cybersecurity system. The Australian Broadcasting Corporation (ABC) was told Optus believed the hacker had scraped the company's consumer database, and that a third of the data in the database had been copied and extracted.

On 24 September, Optus and the Australian Federal Police (AFP), which had opened a criminal investigation, received reports data from the leak was being sold online and were monitoring the dark web for any attempt to sell the data. The same day, a user on the website BreachForums posted a ransom note; some cybersecurity experts believed the note was genuine but Optus and the AFP did not confirm its genuineness. The note demanded Optus pay $1,500,000 in the privacy-focused cryptocurrency Monero, provided a sample of data from 200 customers, and said the data thieves would release the personal information of 10,000 customers every day if Optus did not pay the ransom until a week elapsed. After the week elapsed, the thieves would sell the data for A$400,000 to anyone who wanted them. After several hours, the user deleted their original post and appeared to apologise for their actions despite no ransom being paid, stating it was a "mistake to scrape publish [sic] data in first place" and that too many people were paying attention to the breach. The user noted they would have reported the exploit they used if they had the ability to contact Optus, noting the lack of a secure mail, a messaging contact and bug bounties.

Government response
Home Affairs and Cyber Security Minister Clare O'Neil said Optus was at fault for the attack, refuting Optus's argument the attack was complicated. O'Neil also stated the attack should not have happened, stating: "Responsibility for the security breach rests with Optus[,] and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country".

On October 6, the federal government announced an emergency regulation to temporarily allow drivers licences, Medicare information, and passport numbers to be shared with financial services, the Commonwealth, and state and territory agencies to assist monitoring of accounts of customers affected by the breach for potential scams or fraud. Financial institutions had to commit to several actions to receive the data, including honouring privacy obligations and deleting data once it has been used. The Council of Financial Regulators was asked to identify and report on changes to financial instructions to identify customers who were at risk of scams and fraud. The changes were in place for 12 months. Treasurer Jim Chalmers stated the measures would help protect customers from scams and detect fraud.

O'Neil expressed frustration at the lack of ability for the government to intervene in the data breach, its inability to assist with the clean-up or compel Optus to give government services information. She stated Australian law had no use for the government when needed because Australia's laws governing security of critical infrastructure only allowed the government to intervene while a data breach was occurring.

Following the breach, several new security measures to protect victims from fraud, including banks being more-quickly informed of data breaches to prevent the use of data to fraudulently access bank accounts, were announced. The federal government announced an overhaul of the $1.7 billion cybersecurity plan introduced by the previous government, including additional powers to intervene in cybersecurity. The government also considered a Cyber Security Act to create standards and obligations for industry and government, and a reform to the Security of Critical Infrastructure Act to bring customer data and systems under the definition of "critical infrastructure", allowing the government to intervene in major data breaches.

In April 2023, the National Office of Cyber Security was founded with five full-time staff and no additional funding beyond what was already given to the Department of Home Affairs. In June 2023, Air Marshal Darren Goldie was appointed as Australia's inaugural Cyber Security Coordinator. In November 2023, Goldie was recalled to the Department of Defence regarding a workplace matter, and cyber-and-infrastructure security head Hamish Hansford took on the position in the interim.

On 27 February 2023, Prime Minister Anthony Albanese and O'Neil hosted a roundtable with industry and civil society groups on cybersecurity following the data breach. A discussion paper was released regarding the role of the federal government in increasing Australia's cybersecurity capability.

The state governments of Queensland, Victoria, South Australia and Western Australia agreed to pay for the replacement of driver's licences for people whose driver's licence numbers were compromised by the breach. In Victoria, plans to add a second number to driver's licences were quickly enacted; all victims of the breach received the second number as part of their replacements, to protect Victorians from identity theft.

Optus response


On the day the breach was announced, Optus set up a "war room" at its headquarters in Macquarie Park, New South Wales. This involved around 150 employees, and was headed by former Premier of New South Wales Gladys Berejiklian and regulatory and public affairs head Andrew Sheridan.

Optus commissioned Deloitte to perform an "independent external review" regarding the breach. Optus also offered its "most affected" customers a 12-month subscription to credit-monitoring service Equifax Protect after O'Neil requested the company buy credit monitoring for its customers in Question Time. Optus CEO Kelly Bayer Rosmarin apologised for the attack on behalf of the company. Optus reserved $140 million for costs relating to the breach, including the replacement of hacked identity documents, Equifax Protect subscriptions, and the Deloitte review. Optus promised to pay for the replacement of compromised Australian and foreign passports.

Optus reported 2.1 million of its customers had had identity documents stolen in the hack. Of these, 1.2 million had at least one current, valid number from a form of personal identification stolen. The remaining 900,000 customers had expired identity numbers stolen.

Services Australia accused Optus of a lack of communication. On 27 September, Services Australia wrote to Optus "asking for the full details of all affected customers with Services Australia credentials exposed, such as Medicare cards and/or Centrelink concession cards". Minister for Government Services Bill Shorten stated a week later, Services Australia had not received any data from Optus, which said it was "in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take". There was also confusion about the number of stolen Medicare ID numbers; Shorten told a press conference around 36,900 ID numbers had been stolen and Optus said 14,900 ID numbers had been stolen.

Customers also reported having problems communicating with Optus. Customers stated Optus could not confirm their personal information was part of the data breach. Customers reported after contacting Optus several times, the company's chatbot failed to understand customers' questions about the breach, sales representatives gave poor responses, they did not receive a response from Optus at all, and there were delays in warning customers of compromised personal information. One customer stated: "Ultimately, we are sitting ducks for identity theft, and given that we can’t change our dates of birth, address or names, there isn’t much we can do about it, which is incredibly frustrating".

On 8 March 2023, Bayer Rosmarin restated Optus's claim the attack was sophisticated, stating at a business summit: "[t]he skilled criminal had knowledge of Optus' systems and cycled through many tens of thousands of internet protocol addresses in an attempt to evade our automated cyber monitoring". She also stated Optus never paid a ransom to the hacker and that the main reason for the breach was other scam purposes.

In November 2023, Bayer Rosmarin resigned as CEO of Optus after the 2023 Optus outage; there had been mounting pressure on her to resign due to the outage and the date breach.

Legal action
On 6 October 2022, the Australian Federal Police (AFP) arrested a 19-year-old Sydney man Dennis Su in his home at Rockdale for blackmailing 93 breach-affected Optus customers. Su said he would commit financial crimes using the customers' personal data unless they paid him A$2,000, which none did. He was charged with one count of using a telecommunication network with intent to commit a serious offence and one count of dealing with identification information with intent to commit an offence. AFP Assistant Commissioner Justine Gough stated Su was not suspected of being responsible for the breach and warned people not to click on links claiming to be from Optus. Su pleaded guilty in November 2022; he did not go to jail due to a guilty plea, his age, and remorse shown for his actions, and he received an 18-month community corrections order.

On 11 October, the Office of the Australian Information Commissioner (OAIC) launched an investigation into the breach, Optus's handling of customers' personal data, whether Optus took reasonable steps to protect consumers affected by the breach from fraud, misuse, or loss, and whether Optus needed to keep the collected information. The Australian Communications and Media Authority (ACMA) also launched an investigation into the breach, focusing on Optus's obligations to protect and dispose of personal data. The federal government gave OAIC $5.5 million to investigate the breach over two years in its October 2022 budget.

Law firm Slater & Gordon launched a class action alleging Optus "breached laws and its own policies by failing to adequately protect customer data and destroy or de-identify former customer data". The ongoing class action was joined by 100,000 current and former Optus customers who wanted compensation for losses, including the time to replace identification documents and the stress it caused. Optus stated it would defend its actions. In court, Slater & Gordon lawyers requested the public release of the Deloitte report, arguing it could reveal the possible causes of the data breach. Optus declined to release the report despite Bayer Rosmarin stating in March 2023 Optus would share "key recommendations and learnings" from the report. In November 2023, Optus lost a bid to keep the report confidential.