Optus customer data breach
An unauthenticated API endpoint exposed personal data of 9.8 million current and former Optus customers — names, dates of birth, passport and driver's licence numbers — to a single anonymous attacker.
- Victim
- Optus (Singtel)
- Loss
- $140.0M
- records
- 9.8M
- users
- 9.8M
On 22 September 2022, Australian telecom Optus disclosed that an attacker had downloaded personal records of up to 9.8 million current and former customers — roughly 40% of Australia's population — via an internet-facing unauthenticated REST API.
What happened
A customer-information endpoint at api.www.optus.com.au was reachable from the public internet without any authentication and accepted sequential numeric customer identifiers. The attacker enumerated identifiers and pulled records containing names, dates of birth, addresses, email addresses, phone numbers, and — for a subset — passport numbers, driver's licence numbers, and Medicare numbers.
The attacker initially demanded a $1 million ransom, posted a sample of 10,000 records as proof, then publicly retracted the demand and apologized, citing concern about the scale of harm. The data was never confirmed to be sold or further redistributed, but the records were never recovered.
Impact
- 9.8 million customers had personal information stolen, including ~150,000 passport numbers and millions of driver's licence and Medicare numbers.
- Triggered emergency reissuance of identity documents across Australian states.
- Direct cost to Optus exceeded AUD $140 million (≈$95M USD) for customer remediation, document reissuance, and class actions.
- Catalyzed Australia's overhaul of privacy law penalties (maximum fines raised from AUD $2.2M to the greater of AUD $50M, 30% of turnover, or three times the benefit obtained).
- Led to civil penalty proceedings by the Office of the Australian Information Commissioner that remain open as of 2025.
Why it matters
Optus is a copybook example of API security as a tier-one risk: an internet-exposed customer endpoint without authentication, predictable numeric IDs, and no rate limiting. The breach also reshaped Australian privacy enforcement and is now standard reading in regulatory and board-level discussions of identity-document exposure as a category distinct from credentials.
Financial impact
Reported costs in USD
- Business loss$60.0M
- Remediation$80.0M
Timeline
An attacker discovers an unauthenticated REST API endpoint exposing customer records keyed by incrementing identifiers.
Optus detects unusual outbound traffic and begins investigating.
Optus publicly discloses the breach, initially affecting up to 9.8 million customers.
The attacker posts a sample of 10,000 records on a criminal forum and demands a $1 million ransom — then retracts the demand and apologizes.
Australia's information commissioner files civil penalty proceedings against Optus.
The Australian Communications and Media Authority publishes its investigation report; total cost to Optus exceeds AUD $140M.
Sources
- optus.com.auhttps://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack
- oaic.gov.auhttps://www.oaic.gov.au/about-us/our-regulatory-approach/civil-penalty-proceedings/optus-data-breach
- theguardian.comhttps://www.theguardian.com/business/2022/sep/22/optus-data-breach-cyber-attack-personal-information-stolen