2022 Optus Data Breach Incident

09/07/2025

Incident Analysis: 2022 Optus Data Breach

Overview

In September 2022, Optus, Australia’s third-largest telecommunications provider, suffered a significant data breach, compromising sensitive personal data of nearly 10 million customers, approximately a third of Australia’s population. The breach involved the exfiltration of customer names, birthdates, addresses, phone numbers, emails, passport numbers, and driving license details.

Timeline of Events

September 20, 2022: Optus detected suspicious activity within its network infrastructure.
September 21, 2022: Internal investigation confirmed a data breach; Optus alerted regulators.
September 22, 2022: Optus publicly disclosed the breach, urging customers to remain vigilant against potential fraud.
September 23, 2022: A ransom demand surfaced online, requesting AUD 1.5 million. Shortly after, the attackers rescinded the ransom note and issued an apology, though the stolen data was already compromised.

Technical Analysis of the Vulnerability

The breach’s root cause was identified as an insecure Application Programming Interface (API). According to reports, including statements from government officials and an Optus insider, the API was mistakenly exposed to a publicly accessible test environment due to human error, enabling unauthorized external access.

Vulnerable Endpoint Analysis

The API endpoint /users/{userId} was designed to return user details based on the userId provided. Several critical flaws include:

Insufficient Authentication and Authorization:
The API did not implement necessary authentication mechanisms, allowing unauthenticated attackers to query and retrieve sensitive user information.
Insecure Direct Object References (IDOR):
The endpoint directly used user identifiers without proper access checks. Attackers exploited this vulnerability by iterating over potential user IDs, systematically extracting user data.
Poor Error Handling and Exposure of Internal Structures:
Exception handling revealed internal system details through error messages, aiding attackers in enumerating user data.

Example of flawed code snippet:

def get_user_detail(userId: str) -> Any:
    try:
        _user = search(Users.users, userId)
        if _user:
            return _user, 200
        if Users.users.get(int(userId)):
            return Users.users[int(userId)]
    except Exception as ex:
        return {"message": str(ex)}, 404
    return "Not found", 404

This implementation allowed enumeration through sequential or brute-force techniques due to missing security controls, directly contributing to the mass data exfiltration.

Learn more about the faults in the API in our Technical Writeup of the incident.

Post-Incident Response

Optus faced criticism from government officials for inadequate transparency and cooperation during incident handling. The company subsequently implemented several mitigation steps:

Commissioned an external cybersecurity audit.
Provided affected customers with credit monitoring services.
Funded the replacement of compromised passports.
Publicly apologized for the security lapse.

The Australian government responded by proposing legislative reforms enhancing cybersecurity practices and mandating clearer reporting obligations for critical infrastructure providers.

Lessons Learned

This incident underscores several crucial cybersecurity lessons:

Strict API Security: Ensure robust authentication, authorization, and access control measures to prevent unauthorized data access.
Proper Endpoint Protection: APIs exposed to public or semi-public environments must be rigorously audited for vulnerabilities like IDOR.
Effective Error Handling: Avoid detailed error messages that reveal internal system mechanics or data structures to external users.

The Optus breach highlights the necessity for comprehensive API security protocols and proactive vulnerability management within enterprises handling sensitive data.

Read more about the incident: 2022 Optus data breach - Wikipedia

We made a challenge inspired by this incident: No Sutpo

It is available for Free for 2 weeks in our Weekly Incident Game.

Available languages:

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.