Optus — Australian telco 9.8M-customer breach

What happened

On 22 September 2022 Optus, Australia’s second-largest telecommunications company, publicly disclosed that it had suffered a breach of customer data. An attacker had accessed an application programming interface connected to Optus’s customer database and had downloaded personal records on approximately 9.8 million current and former customers — roughly 40% of Australia’s total adult population.

The exposed data was comprehensive. Every affected customer had at minimum their name, date of birth, address, phone number, and email address exposed. For approximately 2.1 million customers the exposure also included government identity document numbers: Australian drivers’ licence numbers, passport numbers, and Medicare card numbers. These documents are the foundational identity proof in Australia’s financial and government systems; exposure at this scale created sustained risk of identity fraud, SIM-swapping, account takeover, and financial crime for millions of people.

An individual claiming responsibility for the breach posted a sample of 10,200 customer records on a cybercrime forum and demanded $1 million in Monero for the full dataset. Approximately three days later, the same individual publicly apologised, retracted the ransom demand, and claimed to have deleted all copies — citing the “too much heat” from law enforcement attention and media coverage. The Australian Federal Police launched an investigation; no individual was charged in connection with the intrusion.

Optus’s parent company Singtel recorded a $140 million provision for costs related to the breach, including regulatory response, credit monitoring for affected customers, and support for customers whose government identity documents were potentially compromised.

How it worked

The technical cause of the breach was simple and avoidable. Optus had an API endpoint that returned customer record data and that was reachable from the public internet without any authentication requirement. The customer records were indexed by a sequential numeric identifier. An attacker who found the endpoint needed only to increment the identifier value with each request to step through the entire customer database, downloading one record per request.

The Australian Information Commissioner’s investigation, which concluded in a 2024 determination, found that Optus had failed to take reasonable steps to protect the personal information it held, in breach of the Australian Privacy Act. Specifically, the Commissioner found that the unauthenticated API endpoint had been in existence for several years — indicating that the configuration had persisted across multiple product releases and infrastructure updates without being caught by any security review, vulnerability scanning programme, or API inventory process.

The breach required no zero-day exploit, no spear-phishing campaign, no credential theft, and no insider access. It required only that an attacker discover an endpoint that should not have been public and then make sequential HTTP requests to it. The combination of authentication absence, sequential identifier predictability, and the absence of rate-limiting or anomaly detection on the API meant there were no automated controls that would have flagged the enumeration as suspicious before the attacker had downloaded a significant portion of the database.

The attacker’s public forum post with a ransom demand contained a sample of legitimate customer records, confirming the breach before Optus’s own communications; Optus’s initial public statements were ambiguous about whether the attacker had exploited a vulnerability or an “attack” had occurred, language that became controversial when the technical simplicity of the access method became clear.

Timeline

• Unknown date prior to 2022 — Optus deploys or retains an unauthenticated customer-data API endpoint reachable from the public internet; the configuration persists undetected.
• September 2022 — Attacker discovers the endpoint and begins iterating through customer identifiers, downloading records.
• 22 September 2022 — Optus publicly discloses the breach; Australian Federal Police and government respond.
• 23–26 September 2022 — Attacker posts 10,200 sample records on a cybercrime forum and demands $1 million in Monero.
• 27 September 2022 — Attacker withdraws the ransom demand, apologises, and claims to have deleted the stolen data.
• 2022–2023 — Australian government introduces mandatory data-breach notification reform and emergency legislation; Optus invests in customer-notification and identity-document replacement programme.
• 2024 — Australian Information Commissioner publishes determination finding Optus in breach of the Privacy Act; Australia’s Cyber Security Act 2024 passes Parliament — the most significant Australian cyber legislation in a decade.

What defenders should learn

The Optus breach is the clearest large-scale demonstration of what happens when API security is treated as an afterthought. APIs are attack surface. Every API endpoint that returns sensitive data is, from a security perspective, equivalent to a door — and a door with no lock, reachable from the internet, is an open door. The fundamental controls that would have prevented this breach are elementary: require authentication on every endpoint that returns personal data; do not use sequential numeric identifiers as the sole key to records; implement rate-limiting on API calls; maintain an inventory of all external-facing API endpoints and audit them for authentication status.

The fact that the unauthenticated endpoint persisted for years indicates a systemic failure in Optus’s API security governance, not a single oversight. A functioning API inventory and periodic external-surface scanning would have found an unauthenticated endpoint returning customer PII. The absence of these controls across the full lifecycle of what was apparently a long-lived system indicates that API security was not a first-class concern in Optus’s development or infrastructure governance processes.

The sequential identifier issue is worth specific attention. Using incrementing integer IDs as the only mechanism to identify records means that enumerating all records requires no knowledge beyond the ID space — which for a database of millions of records is discoverable by simple probing. Modern API design practices use unpredictable resource identifiers, enforce authorisation checks at the object level (not just the endpoint level), and validate that the requesting party is entitled to the specific record being requested, not just to the endpoint in general. The combination of these practices makes enumeration attacks structurally infeasible.

The Australian policy response — mandatory notification of affected individuals, emergency identity-document replacement programmes, and ultimately a new Cyber Security Act — illustrates the downstream regulatory consequence of large-scale consumer data exposure. The policy logic is that organisations holding sensitive personal data at population scale are not just private actors managing their own risk: they are custodians of a national resource. The regulatory framework that Optus’s breach helped produce reflects that logic.