As Optus Is Sued, What Went Wrong and What Lessons Can We Learn?

By Phil Muncaster • 25 September 2025

The wheels of justice move slowly sometimes. So it is in Australia, where the privacy regulator has finally filed civil penalty proceedings against telecoms giant Optus for a 2022 data breach which still reverberates to this day.

The federal court can impose a civil penalty of up to AU$2.2m (£1.1m) for each contravention, and the Australian information commissioner (AIC) alleges one contravention for each of the 9.5 million individuals whose privacy it claims Optus “seriously interfered with”. Although highly unlikely, this means a theoretical maximum fine of over AU$20 trillion (£9.8 trillion).

But arguably more important than the outcome of the case is what local businesses can learn from the incident – in terms of how they manage data and risk governance.

A Breach That Shook Australia

The incident dates back to September 2022 when a threat actor managed to access the personal information of millions of customers at Australia’s second-largest telco. This included:

Names, dates of birth, home addresses, phone numbers and email addresses
Passport numbers, driver’s licence numbers, Medicare card numbers, birth certificate and marriage certificate information, and armed forces, defence force and police identification information

The AIC alleges Optus “did not take reasonable steps” to protect this information, citing the company’s size and resources, the volume of data breached and the risk of harm to individuals of its disclosure.

Exactly how much harm victims actually came to is disputed. Although the threat actor originally demanding a US$1m (£740,000) ransom, later reversed course and claimed to delete the data. Whether it was sold on or used by fraudsters remains a mystery. But the emotional strain it placed on countless Australians, and the government organisations that had to reissue identity documents, is clear.

The national outrage caused by the incident ushered in a new cybersecurity regime with higher data breach fines, and the country’s first standalone law in this area: the Cyber Security Act. The Australian Communications and Media Authority (ACMA) is also suing Optus for breaching the Telecommunications (Interception and Access) Act 1979.

What Happened?

The AIC has been tight-lipped on the details of the breach. However, filings in the ACMA case seen by SecurityScorecard tell a detailed story about what happened, and what went wrong. The security vendor claims that:

The threat actor gained access to Optus data via a misconfigured, dormant API
The API became internet-facing in 2020, but its access controls were rendered ineffective due to a coding error introduced in 2018
Although similar issues were found and fixed on the main Optus domain in 2021, the subdomain containing the API was left “exposed, unmonitored and unpatched”
The threat actor was able to query customer records over several days, rotating through tens of thousands of IP addresses to evade detection

Aside from the security snafu itself, question marks have been raised over why millions of breached records related to former customers. Data minimisation best practice states that many of these should have been deleted. There were also complaints over Optus’s crisis communications efforts. The firm originally claimed it had been the victim of a “sophisticated attack”, which was later challenged by experts. Some subsequently complained that the firm was slow to release important details to anxious customers, to apologise and take ownership, and to provide actionable advice to those affected.

“The Optus breach is a clear reminder that managing cyber risk has two sides. The first is in software development itself — identifying and managing risk before, during, and after code goes live. Insecure software or misconfiguration can create major consequences when customer information is involved,” Patterned Security director, Mac Moeun, tells ISMS.online.

“The second is how you handle the incident. Having a proven, disaster recovery-tested plan, being upfront, communicating early and often, and giving customers clarity on what’s been impacted. These steps give you the best chance of maintaining customer trust.”

What Lessons Can We Learn?

The Optus breach was the first in a lengthy line of big-name incidents that shook Australia, including Medibank and Latitude Financial. But as the first and one of the worst, it represents a cautionary tale for many. Parent company Singtel set aside AU$140m (£68.5m) to cover the cost of the fallout, and there were reports of significant customer churn following the incident.

From a purely technical perspective, CISOs should consider:

Tracking potential security risks such as dormant APIs and unmanaged assets
Deploying behaviour-based monitoring to flag suspicious activity (such as IP rotation)
Data minimisation as a best practice, ensuring anything no longer needed by the organisation is deleted
Secure coding practices (DevSecOps) including automated scanning

Ryan Sherstobitoff, field chief threat intelligence officer at SecurityScorecard, tells ISMS.online: “The Optus breach highlights the need for strict API inventories and audits (including dormant endpoints), secure coding with continuous vulnerability scanning, strong data retention/deletion policies, and advanced anomaly detection to catch low sophistication but effective attacker tactics.”

Separately, the AIC focuses on the need for layered security controls, clear ownership of domains, robust security monitoring, and regular reviews. However, organisations can arguably go one better. A more holistic response would be to implement best practice standards like ISO 27001 and 27701 (for implementing an Information Security Management System and Privacy Information Management System respectively).

They offer a comprehensive, risk-based framework for managing and protecting sensitive data including personally identifiable information (PII). The journey to compliance will ensure that organisations are able to understand what data they manage, where security gaps might exist and which controls and processes will help to close these gaps. Crucially, the standards promote the idea of continuous monitoring and improvement, so that complying organisations successfully adapt to changing IT infrastructure, threat trends and other factors.

“These ISMS frameworks provide structured, auditable controls for asset management, secure development, monitoring, and PII lifecycle governance — helping organisations enforce zero-trust principles, minimize data exposure, and avoid long-term coding or retention blind spots,” says Sherstobitoff.

The Optus breach may have been three years ago, but it still casts a shadow over Australian businesses today. If more learn from the mistakes of the past, that’s no bad thing.

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

When it Comes to OT, Visibility Is the Foundation of Effective Security

IT often grabs the headlines, especially now we’re embarking on a new age of AI-powered everything. But it is operational technology (OT) that stil...

Phil Muncaster

Cyber security 11 November 2025

What the Deloitte Australia Saga Says About the Risks of Managing AI

Generative AI (GenAI) has scaled the heady heights of industry hype since it burst onto the scene in late 2022. Now it is entering what Gartner cal...

Phil Muncaster

Cyber security 6 November 2025

The NCSC Says “It Is Time to Act”, But How?

It’s unusual to see an open letter from a business leader at the start of a government cybersecurity report. Especially someone whose company has j...

Phil Muncaster