Optus

Summary

Optus, Australia's second-largest telecommunications provider, suffered a data breach after an API endpoint was left publicly accessible without authentication. The breach exposed the personal information of nearly 10 million current and former customers.

Attack Vector

Unsecured API Endpoint. The attacker discovered a test network interface (API) that was exposed to the public internet. By incrementing the "Customer ID" number in the URL request, the attacker was able to scrape millions of customer records without needing a password.

Consumer Impact

• Identity Theft Risk: High. The exposure of Driver's License and Medicare numbers allowed criminals to potentially take out loans in victims' names.
• Phishing: Victims reported a significant increase in targeted scam SMS/Email attempts following the breach.

Response

The Australian Government introduced new regulations allowing Telcos to share data with banks to stop fraud. Optus was forced to pay for the replacement of millions of Driver's Licenses across all states.