5 Lessons from the Optus Data Breach for Telecom and Third-Party Risk
In late 2022, Australia’s second-largest telecom provider, Optus, suffered a data breach that exposed the sensitive data of up to 10 million customers. The incident triggered national debate on data protection, regulatory reform, and the cybersecurity maturity of large telecom providers.
For cybersecurity leaders, the Optus breach offers a powerful case study in what happens when personal information, supply chain relationships, and misconfigured APIs collide.
What Happened?
In September 2022, Optus, one of Australia’s largest telecommunications providers, reported a massive data breach that exposed sensitive information belonging to over 9.5 million current and former customers. Many of the records pertained to former customers—raising questions about data retention policies and their alignment with risk-based principles. The incident triggered public outcry, governmental scrutiny, and sweeping regulatory consequences that continue to unfold.
At the center of the breach was a reportedly misconfigured, dormant API. According to filings from the Australian Communications and Media Authority (ACMA), this API became internet-facing in 2020, but access controls had been rendered ineffective by a coding error introduced as early as 2018.
Critically, the API required no authentication, allowing a hacker to query customer records over a period of several days in September of 2022. ACMA emphasized that the breach did not involve advanced tools or tactics. Instead, the hacker reportedly used a process of trial and error. The attacker mimicked legitimate customer activity, rotating through tens of thousands of IP addresses to evade detection, according to the company.
This wasn’t a case of state-sponsored espionage or novel zero-days—it was an exploitation of overlooked infrastructure. The vulnerability remained undetected for years, even after a similar issue was identified and remediated on the main domain in 2021. The subdomain containing the vulnerable API was left exposed, unmonitored, and unpatched until the attack.
What Data Was Exposed?
The breach compromised the personally identifiable information (PII) of over 9.5 million Australians. For 2.1 million customers, government-issued identity documents were exposed—1.2 million of which were valid and unexpired.
The exposed data included:
- Full names
- Dates of birth
- Phone numbers
- Residential addresses
- Email addresses
- Driver’s license numbers
- Passport numbers
- Medicare card numbers
A subset of this data—about 10,200 records—was posted online by a hacker demanding a $1 million ransom (USD). Although the hacker later retracted the threat and claimed to delete the data, the damage was done. Identity theft risks soared, and many affected individuals were left scrambling to replace official documents and secure their online accounts.
5 Top CISO Takeaways from the Optus Breach
The Optus breach wasn’t just a telecom failure—it was a multi-layered breakdown in basic cybersecurity hygiene, system monitoring, and risk governance. Here are five actionable takeaways for CISOs managing risk in highly interconnected environments:
1. Dormant APIs Are a Silent Threat
The breach began with a reportedly inactive API that was still accessible from the public internet. Dormant APIs, especially those created for legacy functionality, are often overlooked in security reviews. CISOs must establish a comprehensive API inventory that includes inactive and deprecated endpoints and subject them to continuous access control validation.
Lesson: Conduct quarterly API audits and enforce zero-trust policies for all internet-facing interfaces—even those assumed to be unused.
2. Coding Errors Can Become Long-Term Liabilities
A single line of faulty code introduced in 2018 remained exploitable for years, according to ACMA. ACMA reported that despite identifying and attempting to fix the error in 2021, Optus failed to assess subdomains for the same vulnerability, leaving the fix inadequate.
Lesson: Implement secure software development lifecycle (SSDLC) practices. Use automated scanning tools to flag inconsistent security settings during Continuous Integration and Continuous Delivery (CI/CD) processes.
3. Data Retention Must Align With Risk Tolerance
Millions of records exposed in the breach belonged to former customers. Retaining sensitive identity data after its useful life increases the attack surface unnecessarily.
Lesson: Reevaluate data retention policies regularly. Implement automated data minimization workflows that flag records for deletion after contract termination or regulatory expiration periods.
4. Basic Threat Tactics Are Still Highly Effective
The attacker used IP rotation and mimicked customer behavior to avoid triggering standard detection mechanisms. This underlines how even low-complexity attacks can succeed against high-value targets when monitoring is insufficient.
Lesson: Deploy behavior-based anomaly detection systems that baseline normal usage patterns. Configure alert thresholds for volumetric or geographic anomalies—especially on customer-facing services.
5. Security Reviews Must Cover Shadow IT and Untracked Assets
One of the most problematic aspects of the breach is that the vulnerable API persisted through multiple opportunities for detection—during its 2018 rollout, its 2020 exposure, and even in a 2021 related fix.
Lesson: Expand risk assessments to include all digital assets, not just active infrastructure. Consider third-party attack surface management (ASM) tools to help map internet-exposed assets that fall outside of current inventories.
What the Optus Breach Reveals About Telecom Security Risks
Telecommunications infrastructure is foundational to modern society—but it’s also uniquely vulnerable. From customer-facing portals to core networking gear, the attack surface is vast and often relies on legacy systems or piecemeal modernization efforts. The Optus breach is a wake-up call, particularly as 5G rollouts and edge computing expand exposure points.
Telecommunications companies sit at the nexus of personal identity and digital access. A breach doesn’t just expose one account—it can provide individual pieces of information that can form a mosaic for bad actors and contribute to identity theft, SIM swapping, and fraud across multiple sectors. In this context, strong identity protection, attack surface visibility, and continuous monitoring must be considered table stakes.
For a broader view of breach trends across industries, explore SecurityScorecard’s latest research:
🔎 Global Third-Party Breach Report
Transform Third-Party Risk into a Supply Chain Resilience Strategy
With SecurityScorecard’s SCDR, gain actionable insights into your vendors’ security postures. Our platform empowers you to make informed decisions, ensuring compliance and strengthening your supply chain’s cybersecurity.
