← Back to Breach Intelligence

Optus Data Breach: 10 Million Customer Records Stolen Via Unprotected API

2025-01-22 Telecommunications API Vulnerability Identity Theft Australia
Optus Data Breach: 10 Million Customer Records Stolen Via Unprotected API

What Happened

In September 2022, Optus — Australia's second-largest telecommunications provider — suffered a massive data breach that exposed the personal information of up to 9.8 million customers. The stolen data included names, dates of birth, phone numbers, email addresses, and critically, government identity documents including passport numbers, driver's licence numbers, and Medicare card numbers.

The breach sent shockwaves through Australia, prompting emergency government intervention. The Federal Government fast-tracked legislation allowing telcos to share data with financial institutions to prevent identity fraud, and millions of Australians were forced to replace their identity documents.

How It Happened

The attack vector was an unauthenticated API endpoint — essentially an open door into Optus's customer database. The attacker was able to query the API without any credentials, authentication tokens, or rate limiting. By simply incrementing customer identifiers, the attacker was able to systematically download millions of customer records.

This wasn't a sophisticated nation-state attack. It was a fundamental security oversight — an API that should never have been publicly accessible was left wide open.

The Fallout

  • Up to 10 million customer records exposed
  • 2.1 million passport or driver's licence numbers compromised
  • $140 million+ in estimated costs
  • CEO resignation — Kelly Bayer Rosmarin stepped down
  • OAIC proceedings alleging failure to protect personal information
  • Millions of Australians forced to replace identity documents at government expense

The Social Engineering Risk

What makes the Optus breach especially dangerous is the downstream social engineering risk. With names, dates of birth, phone numbers, and identity document numbers, attackers have everything they need to impersonate victims convincingly — whether calling banks, government services, or employers.

A data breach doesn't end when the data is stolen. It creates a permanent pool of ammunition for social engineering attacks — vishing, smishing, and spear phishing campaigns that can target victims for years.

Ironclad ID's attack simulation platform tests your team's resilience against exactly these scenarios — voice calls, SMS messages, and emails that use real personal data to sound convincing. Because the next Optus victim could be one of your employees.

Source: The Guardian

Don't Be the Next Headline

See how Ironclad ID protects your organisation from the attacks making the news.