Optus 2022

In late September 2022, the Australian telecommunications operator Optus disclosed that an attacker had accessed the personal data of approximately 9.8 million current and former customers, including 1.2 million people whose passport or driver's license numbers were still valid. In a country of roughly 26 million, the scale was national news within hours.

An API without authentication

Australian and international reporting converged on a remarkably mundane root cause: an Optus API endpoint, exposed to the public internet, that accepted unauthenticated requests for customer records. The attacker appears to have enumerated customer identifiers and pulled the records sequentially. The mechanism did not require sophisticated exploitation. It required noticing that an internal-looking URL was reachable from outside.

The attacker briefly attempted to extort Optus for a million US dollars, posted a sample of the stolen data, then withdrew the extortion attempt and publicly apologized. A nineteen-year-old Sydney resident was later arrested in connection with the use of the leaked data for fraud, separate from the original intrusion.

A regulatory recalibration

Optus's disclosure landed alongside the Medibank incident a few weeks later, and the two together prompted a structural shift in Australian data-protection law. The federal government raised maximum penalties under the Privacy Act from 2.2 million Australian dollars to at the larger of 50 million or three times the value of the benefit derived from the contravention.

What the chronicle remembers

Optus was the call that made API security an executive-level conversation in Australia. A single unauthenticated endpoint, in production, was enough to expose a substantial fraction of the country's adult population. Every regulatory regime that subsequently asked telcos to audit their public-facing APIs is, in some sense, working from the Optus template.