Industry News

Millions of Optus customers potentially exposed in massive data breach

Optus, the second largest mobile network operator in Australia, announced that a cyber attack targeted its customer data systems, potentially exposing the personal information of nearly 10 million customers.

Who is Optus?

On September 22, Optus announced that it has experienced a cyber attack that potentially exposed the personal data of 9.8 million current and former subscribers. Central to the announcement are its official apology and a request for vigilance delivered by CEO Kelly Bayer Rosmarin to all of the company’s customers.

The Sydney-based wireless carrier, which serves between 30% - 40% of Australia’s total population, also outlined its immediate response that included a) shutting down the attack; b) launching an internal investigation; c) notifying regulators, the media, and affected customers; and, d) working with relevant government agencies to minimise impact and mitigate customer risks.

Among the three wireless carriers in Australia, Optus is a subsidiary of Singtel, a telecommunications conglomerate majority-owned by the Singapore government through its investment arm, Temasek Holdings. Operating the largest mobile network in Singapore and the second largest in India, Singtel also owns Brisbane-based IT consulting unit Dialog, which experienced an unrelated data breach weeks before the attack on Optus was announced. Meanwhile, Optus fully owns wireless communication brands gomo and Virgin Mobile Australia (phased out since 2018) whose respective customers were also impacted by the data breach.

Who attacked Optus?

With the data breach incident still under active investigation by government agencies, the identity of the attacker(s) remains uncertain. Only one individual/entity using the username “optusdata” has emerged on an online data breach forum. On September 23, optusdata claimed to be in possession of the hacked data of 11 million Optus customers and threatened to sell their sensitive personal information on the black market unless the telecom giant paid US$1 million in Monero, a cryptocurrency.

Getting no response from Optus, the threat actor(s) behind the username “optusdata” proceeded to release 10,200 customer records on September 26 but deleted the post a few hours later. Moreover, the alleged attacker(s) revoked their ransom demand and issued a public apology to Optus and the 10,200 customers whose data have been leaked, claiming that they have deleted their only copy of all the stolen data. Nonetheless, optusdata acknowledged that the previously exposed customer records may well be exploited by other cyber criminals.

"Too many eyes. We will not sale data to anyone. We cant if we even want to: personally deleted data from drive (Only copy),” the post went. “Sorry too 10,200 Australian whos data was leaked,” it continued.

IT security professionals seriously doubt the attacker(s)’ remorse, with some experts finding out that links included in optusdata’s messages use “drive-by and explicit download techniques” to install malware. Some analysts believe that the threat actors decided to rescind their ransom/extortion attempt to evade the aggressive inter-agency response of Australian law enforcement and cybersecurity agencies.

Notably, the individual or entities behind the user name “optusdata” have yet to be confirmed officially as the attacker by Australian authorities.

When did the attack happen?

Investigators have yet to determine the exact moment the attack started. However, it is certain that the cyber attack started before Optus’ September-22 announcement.

Here’s a simplified timeline encompassing key events surrounding the data breach:

How was the attack orchestrated?

Optus, through its CEO Kelly Bayer Rosmarin initially described the breach as a “sophisticated attack.” Here’s a couple of statements given during a press conference and a radio station interview.

“The IP address kept moving. It’s a sophisticated attack. Safe to say it comes out of various countries in Europe. And in terms of the customer data, I think it dates back to 2017.”

“[The data breach] was a sophisticated attack that penetrated multiple security layers.”

In contrast, the alleged attacker under the username “optusdata” revealed to journalist Jeremy Kirk that the breach just exploited an unsecured API endpoint, which means any online user can access the data without having to log in. "No authenticate needed. That is bad access control. All open to internet for any one to use," the alleged attacker said in response to Kirk’s query.

Australia’s Cyber Security Minister Clare O’Neil seemed to agree, refuting the Optus CEO’s assertion that the attack was “sophisticated,” and placing the blame squarely on the network operator:

"Responsibility for the security breach rests with Optus and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country … We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”

Many analysts and security experts appear to believe that the unsecured API (application program interface) was the attack vector most likely exploited in the breach. Available online, the said API reportedly facilitates access to (unencrypted) customer data even without an authorisation or authentication protocol. If that were the case, anyone who knows about the API can collect Optus’ customer data. Malicious hackers can then just automate the process via a script to harvest massive chunks of personal data.

To date, Optus has yet to clarify how their customer data have been accessed. Notably, a more recent statement from Optus appeared to temper their original statement and admit that there was a weakness in their system:

“Optus, like many large organisations, is subject to many cyber attack attempts and we have in place strong defences that have protected and continue to protect our customers and Optus’ systems. In this instance, we had a specific weakness that was exploited.”

As the days passed following Optus’ announcement of the cyber attack, the government allegation that the data breach stemmed from the telco’s irresponsible security lapses have become more pronounced. By early October, the government accused Optus of being less transparent and cooperative than it should have been.

Which data were compromised?

According to Optus, 9.8 million customer records were exposed, including the following personal information:

  • Customer’s name
  • Date of birth
  • Phone number
  • Email address

For a subset of the exposed records, the following customer information (mostly identification numbers) were also accessed:

  • Postal address
  • Driver’s License number
  • Passport number
  • Medicare card number (around 36,900 Medicare card numbers have been exposed, according to Optus)

The following information have NOT been compromised:

  • Payment details
  • Account passwords
  • Messages
  • Voice Calls

Who is affected?

Subscribers of the following services from 2017 onwards are affected:

  • Prepaid and Postpaid Optus Mobile
  • Personal Optus Broadband
  • Optus Business (SMB)
  • Gomo

Amaysim, Coles Mobile, Catch Mobile, Enterprise, and Wholesale customers are not affected.

Optus’ home and mobile internet services have also not been affected.

What should you do if you were affected by the breach?

IT Security experts advise customers to stay vigilant even amid outrage and extreme stress following the data breach.

If you are affected, look out for and report any suspicious emails, texts, phone calls, social media messages, and other activities across your online accounts. NEVER click on suspicious links or provide access credentials to parties that contact you for some reason or another. Remember that government agencies, financial institutions, and other legitimate organisations adhere to data policies that prevent them from asking for your personal information over SMS, phone, or email.   

For customers whose data have been compromised, Optus provides a one-year free subscription to Equifax Protect, an identity protection and credit monitoring service that helps reduce the odds of financial and identity theft.

If you receive a direct message from Optus that your current ID information has been compromised, it is best to replace your driver’s license and/or Medicare numbers. In most states and territories, replacement fees have been either waived by the state government or will be reimbursed by Optus.  

Resources for affected Optus customers

If you have been affected by the Optus data breach, here are several primary resources that can help you mitigate the impact and re-secure your accounts, identity information, and other personal data.

  1. Government Fact Sheet. Cyber and Infrastructure Security Centre, Department of Home Affairs. (Official government inter-agency fact sheet on the Optus Breach, aimed at helping affected customers.)
  2. Optus notifies customers of cyber attack compromising customer information. Optus. (Official announcement about the data breach.)
  3. Latest updates & support on the cyber attack. Optus. (Details remedial actions taken by Optus, provides customer support resources, and answers frequently asked questions.)
  4. What to do if you’ve been affected by the recent Optus data breach. Services Australia.  (Includes advice on how to replace your Medicare card.)
  5. Optus Data breach. Australian Passport Office. (Advice on how to manage exposure of your passport details.)
  6. Optus data breach: an update for APRA regulated entities. Australian Prudential Regulation Authority (Provides advice for APRA-regulated entities such as banks, credit unions, building societies, general insurance and reinsurance companies, life insurers, and private health insurers.)
  7. What additional cyber security steps can I do? Australian Cyber Security Centre (Provides advice on how to secure your identity and cites several resource links including the government’s ‘Have You Been Hacked?’ application and Identity theft webpage.  
  8. Advice on Optus data breach. Office of the Australian Information Commissioner.
  9. Optus data breach: How you can get a free replacement driver’s licence. SBS News. (Provides detailed, state-specific advice on replacement driver’s licenses.)
  10. Impacted by the Optus data breach? Here's how to replace your passport, drivers licence and Medicare card. Australian Broadcasting Corp. (Provides comprehensive advice on how to replace driver’s license, passport, and Medicare numbers.)
  11. Moneysmart: Identity Theft. Moneysmart. (A service of the Australian Securities and Investments Commission; provides advice to victims of Optus data breach on how to detect and prevent identity theft/fraud.)
  12. How to Avoid Scams After the Optus Data Breach. ACCC/Scamwatch. (provides basic practical tips on how to avoid scams.)

Notes:

Victims of the Optus data breach who are residents of Queensland, Victoria, New South Wales, Western Australia, and South Australia can acquire driver’s license replacements for free. The Queensland, Western Australia, and South Australia government will waive the fees while Optus will reportedly shoulder the costs for replacements in NSW and Victoria in the form of reimbursements. Other states and territories have yet to announce their response to the breach.

The federal government is also considering the reissuance of new passports to those affected, to be financed by Optus.

For customers whose Medicare information has been exposed, you can find actionable advice on Optus’ support page.

Next Steps for Everyone

The Optus Data Breach is turning out to be among the worst cyber attacks in Australia to-date. As the fallout spreads, all stakeholders in the country’s IT ecosystem – consumers, businesses, and the government – have reached a painful reckoning: you adapt to the threat landscape or you suffer.

Though no fault of their own, consumers are the true victims in the data breach. They are the ones with further exposure to all sorts of risks such as identity theft, financial fraud, and other scams. To protect themselves moving forward, only proactive vigilance and a heightened awareness of cyber criminal activities and tactics will suffice.

For government authorities, smarter legislation for protecting data and penalising breaches will compel organisations to adopt progressively better IT security systems and protocols.

Much of the responsibility rests on businesses who are the gatekeepers of so much consumer data. The only viable option is for the business sector to keep their cybersecurity posture well ahead of the similarly evolving state of cyber crime. Zero tolerance for weaknesses and vulnerabilities (such as that allegedly exploited in the Optus data breach) must be the default mode for businesses of every type.   

Other News

The Computer One logo with blue background
6 time winner of the
Channel Futures MSP 501 Winner logo white | Computer One
Local Government Procurement Approved Contractor logo | Computer One
Menu
close
Menu
close
Q-Mark ISO 9001 certified logo | Computer OneQ-Mark ISO 27001 certified logo | Computer One
Menu
close
© 2026 Computer One Australia.
arrow-right linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram