Optus data breach

Optus is Australia's second-largest mobile carrier, providing about 31% of mobile services. In September 2022, a cyber maintenance failure exposed sensitive customer data.

Initially, Optus announced that the cyber security incident led to the theft of personal information from about 150,000 customers, including names, birth dates, phone numbers, and email addresses. In the following days, Optus found the hacker had accessed between 2.5 million and 9.7 million records. For some customers, the leak included addresses and driver licence, Medicare, or passport numbers.

Optus worked with federal and state government agencies, including the Australian Cyber Security Centre, to decrease the risks to customers. Optus also notified the Office of the Australian Information Commissioner and key regulators.

The breach allegedly occurred due to an unsecured application interface that allowed other devices and systems to access it. The damage to Optus was significant, including substantial spending on remediation and potential compensation for victims. Estimates also suggest a $1.5 billion loss in Optus's brand value.

A hacker on a dark web forum claimed to have stolen and then deleted the data, but it is not known if this is true. The stolen identities may still surface, putting Optus customers at ongoing risk of identity theft. The incident also impacted government agencies, such as the Department of Transport and Main Roads, which had to replace over 178,000 Queensland driver licences.

This incident has prompted many organisations to re-evaluate the sensitive data they hold, and their business needs for collecting and storing this data.

The lesson is clear: if an organisation doesn’t hold sensitive customer data, it can't lose it.

No organisation is immune from a cyberattack. To be cyber-resilient, companies must have plans to respond quickly when an attack happens. As this case shows, technical incident response is just one part of the puzzle.