A coding error in an access control allegedly left an API open to abuse, facilitating the Optus data breach, according to the Australian Communications and Media Authority (ACMA).
A partially redacted statement of claim, annexed to court orders published yesterday [pdf], lays out the argument the ACMA will make in its case alleging Optus breached its obligations in not protecting customer data.
The data breach had previously been attributed to the existence of an internet-facing, unauthenticated API endpoint.
The statement of claim confirms the previously reported version of events but differs on the issue of whether access controls were in place to manage permissions for using the API.
The ACMA alleges that Optus did have access controls in place for the API, but inadvertently weakened one with a code change, allowing it to be bypassed.
The attack was allegedly further aided by the API endpoint being internet-facing yet “dormant and not in use” for an extended period.
Optus, the ACMA alleges, noticed the coding error in August 2021 – about three years after it was made – but only in relation to its main site, www.optus.com.au.
It “did not detect or fix that same issue” for the API endpoint, which was on a subdomain.
The ACMA alleges Optus had at least three chances to recognise that the vulnerable access control also affected the API endpoint as well, prior to it being exploited.
The endpoint was pulled offline on September 21, 2022, four days after the data breach was uncovered.
What Optus says
In a statement to iTnews, Optus acknowledged the release of the ACMA documents and confirmed the code vulnerability.
“The cyberattack resulted from the cyber attacker being able to exploit a previously unknown vulnerability in our defences that arose from a historical coding error,” interim CEO Michael Venter said.
“This vulnerability was exploited by a motivated and determined criminal as they probed our defences, and then exploited and evaded these defences by taking steps to bypass various authentication and detection controls that were in place to protect our customers’ data.
“The criminal did this by mimicking usual customer activity and rotating through tens of thousands of different IP addresses to evade detection.”
Optus confirmed the vulnerability was closed following the attack, and that it had “since reviewed its systems and processes and continued to invest to uplift its cyber defences to meet the heightened global cyber risk environment.”
Venter said Optus would “continue to cooperate with the ACMA” on the Federal Court case, adding that “it intends to defend this action and where necessary, correct the record.”
Deloitte report access
Counsel for the ACMA will likely be privy to further technical details in the form of a forensic report prepared by Deloitte, which they are to receive by the end of the week.
The same report is also being handed over in a separate class action filed against the telco, despite attempts to keep the document under wraps.
The ACMA concise statement was released with some redactions around system and technology names.
Identity document reissue reimbursements
Unrelated to the technical explanation, but instead to the aftermath, the ACMA court filing also reveals that, in the wake of the breach, Optus has reimbursed 20,071 current and former customers for the cost of replacing identity documents, and that it is also paying costs incurred by government agencies as well.
Venter said the telco “deeply regrets the cyberattack occurred.”
“Our customers expected their information would remain safe,” he said.
“We accept that this did not happen, and the cyber attacker gained unauthorised access to some of their information.”
The matter has been listed for a case management hearing on September 13.