The data breach at Australian telco Optus, which saw over nine million customers’ personal information exposed, has been blamed on a coding error that broke API access controls, and was left in place for years.
A Wednesday court filing [PDF] includes an account of the incident penned by Australia’s Communications and Media Authority (ACMA), which is using its regulatory powers to pursue Optus.
The Authority alleges that Optus stored customer info and made it accessible to authenticated customers at www.optus.com.au and api.optus.com.au – described as the “Main” and “Target” domains. Retrieving that info required use of APIs that the filing describes as “Target APIs.”

The Target domain existed to segregate API traffic from static content at the Main domain, and had been internet-facing since 2017. The Target APIs were secured by “various access controls designed to prevent unauthorized access.”

But in 2018 a coding error broke one of those access controls, and meant it didn’t work on either the Target or Main domain.
Optus spotted that error … in 2021, when it fixed it – but only for the Main domain.

The problem was not detected on the Target domain, and therefore wasn’t fixed.
The Target domain, however, remained online and internet-facing. The court filing suggests it “was not decommissioned despite a lack of any need for it.”
In September 2022, an attacker “was able to bypass access controls and send requests to the Target APIs.” Doing so returned customer information for 9.5 million people – and sent Optus and its Singaporean owner, Singtel, into a world of pain.

The filing offers the following assessment of the incident:

There but for the grace of Git goes many a reader, we suspect.
Optus has not disputed the account of the attack.
ACMA is seeking civil penalties in the case. Singtel has advised [PDF] investors it can’t determine the quantum of penalties but will defend the case. ®