Optus Data Breach Penalties Hang in the Balance as ACMA Hones in on API Access Control Coding Error

by | Jul 8, 2024

It has now been nearly two years since the Optus data breach, but the Australian telco giant is still facing the bulk of the penalties it will have to pay for its shortcomings in the incident. But exactly what amount that will be is still in question. If the Australian Communications and Media Authority (ACMA) had its way, that total could go as high as $900 million with the maximum possible penalty. All of that will hinge on a court’s decision on the company’s handling of a coding error in the access control of an API that lingered for years before being exploited.

Access control issue first appeared in 2017, exploitable vulnerability surfaced in 2020

ACMA will have to make its case in court to establish negligence in the Optus data breach. The agency’s case hinges on the fact that the vulnerability that the attacker exploited, one that did not require any real high-level technical skill or penetrative hacking to discover and use, was first induced by a coding error in the API’s access control four years earlier and became available to the open internet two years earlier.

Optus was exploited via a faulty API access control that was sound when it was first put into place in 2017, but became vulnerable due to a coding error in an update in September 2018. ACMA says that was the first reasonable opportunity the company had to spot the access control issue.

The company would later spot the coding error on its main site in August 2021, but failed to detect that it was also present on a subdomain that went active on the open internet in June 2020. ACMA argues that the access control issue reasonably should have been found either when that subdomain went active in 2020, or at the very least when the company identified the issue elsewhere in 2021.

ACMA argues Optus data breach caused by preventable coding error

The Optus data breach has drawn special attention from regulators because of its size, and because it happened to take place during a string of high-level breaches in the country that prompted transformation of its data security regulations. It is one of the largest breaches in the country’s history with over 10 million records exposed. Most of those victims lost contact information and dates of birth in the incident, but about 3.1 million also had their home addresses leaked and about 2.4 million had something much more sensitive (like a Medicare or driver’s license number) exposed.

The access control should have limited Optus customers to viewing and editing their own data, but an attacker eventually found that the coding error allowed them to cycle through predictable sequences of URLs and access customer account information without authentication.

Observers had been wondering if a late May ruling in a class action case against Optus would come into play here, as a federal court required the company to make parts of an internal auditing report available to the claimant’s attorneys. It does not appear that report will be used in the ACMA’s case, however.

The Optus data breach has already cost the company some amount of money, a good deal of that paid out voluntarily. It has already reimbursed 20,000 current and former customers that had enough personal information exposed that they needed to change some sort of national identification number, and it has compensated some government agencies as well.

Recent Posts

How can we help?

8 + 2 =

× How can I help you?