The data breach at Australian telecommunications company Optus, which resulted in the exposure of personal information for over nine million customers, has been attributed to a coding error that compromised API access controls and remained unaddressed for years.
A court filing from Wednesday includes details of the incident provided by Australia’s Communications and Media Authority (ACMA), which is leveraging its regulatory authority to take action against Optus.
The Authority claims that Optus stored customer information and made it accessible to authenticated customers via www.optus.com.au and api.optus.com.au, referred to as the “Main” and “Target” domains. Accessing this information required the use of APIs, described in the filing as “Target APIs.”
The Target domain was designed to segregate API traffic from static content hosted on the Main domain and had been internet-facing since 2017. The Target APIs were protected by various access controls intended to prevent unauthorized access.
However, a coding error in 2018 compromised one of these access controls, rendering it ineffective on both the Target and Main domains.
I’m happy to see redacted federal court documents from @acmadotgov became public that describe the precise cause of Optus’s data breach. It’s not new news and nor different from my initial reporting: a leaky API led to the breach. But there are interesting tidbits. pic.twitter.com/9BPzhjZBjJ
— Jeremy Kirk (@(email protected)) (@Jeremy_Kirk) June 20, 2024
Optus discovered this error in 2021 and fixed it—but only for the Main domain.
The issue on the Target domain went undetected and thus remained unresolved.
Despite being unnecessary, the Target domain stayed online and accessible via the internet. The court filing indicates it “was not decommissioned despite a lack of any need for it.”
In September 2022, an attacker exploited the broken access controls to send requests to the Target APIs, retrieving customer information for 9.5 million individuals, leading to significant consequences for Optus and its parent company, Singtel.
The filing includes the following evaluation of the breach:
“The cyber attack was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge of Optus’s processes or systems. It was carried out through a simple process of trial and error.”
Many readers might see this as a cautionary tale in the realm of software development and security.
Optus has not contested the details of the attack as presented.
A coding error in access control led to the Optus breach, exposing customer data through a dormant, internet-facing #API. Secure coding practices are crucial to prevent such vulnerabilities. 🛡️ 🔐 #cybersecurity #databreach #optus #SecureCoding #ACMAhttps://t.co/HddXhloIbq
— Cyber News Live (@cybernewslive) June 20, 2024
ACMA is pursuing civil penalties in this case. Singtel has informed investors that it cannot estimate the penalties but plans to defend against the charges.
This incident underscores the critical importance of robust security practices and vigilant maintenance of digital infrastructure to prevent similar breaches in the future.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He’s also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.