ACMA alleges Optus failed to protect its customer data
The Australian Communications and Media Authority (ACMA) is alleging that Optus failed to protect its customer data.
This data breach was due to an unprotected API endpoint left open to the internet.
ACMA claims that there were control measures in place for the API, but a coding error weakened one, making it possible to bypass. This error was further exploited because the API endpoint was both internet-facing and inactive for a long period.
The coding error was noticed by Optus in August 2021, but only on its primary website, www.optus.com.au. Optus did not fix the same issue for the API endpoint located on a subdomain.
ACMA believes that Optus had at least three opportunities to identify and rectify this vulnerability before it got exploited.
The endpoint was taken offline on September 21, 2022, just four days after the data breach was uncovered.
A detailed forensic study by Deloitte is likely to reveal more technical specifics of the breach. This report is also expected to feature in a separate class-action lawsuit filed against Optus.
ACMA released a concise statement, redacting specific system and technology names.
Optus' interim CEO, Michael Venter, said that Optus will continue cooperating with ACMA and will defend their position in the Federal Court case.
- CyberBeat
Latest News
- California's Controversial Bill Poses Major Changes for AI Industry
- Streamlining AI Regulations: A Call to Action from Tech Leaders
- U.S. Antitrust Lawsuit over Rent Hike Collusion Allegations – The New Era of Algorithm-Driven Price Manipulation?
- Mobile spyware application targeting Android smartphones
- Cisco's Billion-Dollar Bet: Bidding Humans Adieu in the AI Revolution
