Enhance your password security.

Get Started
CTA icon

The Optus Breach: How Not to PR

October 6, 20225 min read


Optus, the second-largest telecommunications company in Australia, confirmed on September 22nd that roughly 9.8 million personal records of current and past customers were leaked. They had no additional info at the time, which left those affected feeling helpless and betrayed. 

An unidentified person has taken responsibility for the hack. The hacker demanded $1 million to delete the data. Otherwise, they would release 10,000 personal records a day until they received payment.

The alleged hacker followed up on their threat - once. When payment was not received, they released 10,000 records that likely went straight to the dark web to piece together some profiles - a process whereby bots analyze whether criminals have enough information to target someone with scamming or identity theft. The hacker has since withdrawn their demand, apologized for their actions, and has not released any additional records. 

Affected records include everything from phone numbers to driver’s licenses and passport numbers. 


Investigating a breach is no small undertaking, and it’s impossible to know for certain if Optus acted slower than other industry giants would in an identical situation. However, their attitude and lackluster communication resulted in severe backlash from the Australian government and general public.

Optus framed itself as the victim of a cyberattack despite no evidence of how the personal records were accessed. In an interview with the Sydney Morning Herald, CEO Bayer Rosmarin said, “There has been no review and no report on the nature of what has occurred… so anyone saying anything about it is not talking from a position of knowledge.”

This attempt to control the narrative left government officials unimpressed. 

Government Services Minister Bill Shorten told reporters, using a suitably Australian metaphor: “Optus senior management are kidding themselves if they want a medal for the way that they’ve been communicating. Not even a crocodile’s going to swallow that.” 

The Situation Worsens

Two weeks later Optus provided additional info. After combing through logs, they claim that only 2.1 million personal records were exposed, of which 900,000 are expired. They said that all affected persons had been contacted, warned users not to open links from email or SMS, and recommended the My Optus app as the safest way to communicate with them. 

However, the leaked data goes back to 2017 and includes many ex-customers. How will these people be contacted safely? Does sending one email count as “contacted”? No one knows. And scammers are capitalizing on the confusion.

Customers are seeing phishing emails, phone calls, and SMS or social media messages asking users to order new SIM cards or update billing information in order to secure themselves from the attack. 

Scamwatch shared these two separate examples of scams following the Optus cyberhack. Correspondence about sim cards should be deleted, and any correspondence about bill "issues" treated with a high level of caution.

The government agency Scamwatch took the initiative to warn customers about these scams. “Optus is not contacting people about their bills and asking you to update information.” 

In the absence of other directions, people are scrambling to update their passports and driver’s license numbers.

How was the data exposed?

Knowledge of how the breach occurred is frustratingly scarce. 

According to Security Boulevard, “Unconfirmed reports suggest that an API Gateway was being used by Optus. If so, that API gateway failed to sufficiently rate limit the attacker's access to Optus's sensitive data.”

Security Boulevard provides a good overview of possible API vulnerabilities that led to easy personal information extraction. Time will tell if this was the weak link. 

Optus is noncommittal regarding whether or not they will release the full review being done by consultancy firm Deloitte. Perhaps this is Optus's ill-conceived attempt to make things seem less bad. If so, they failed to consider that the human imagination proliferates catastrophes, and the possibility that 2.1 million identities are compromised gives it ample fodder. 

Optus is now attempting open communication through its website, but it may be too little too late to save face.

We’re waiting on the results of the investigation to form a picture of what you can do to prepare for future breaches of this nature, or how you can take action to mitigate risk now. Fingers crossed that the findings will get released to the public. 

Optus has dug itself a bit of a hole. Government fines loom on the horizon, and user trust is eroded. We shall see how they choose to proceed. 

To be continued…

facebook social icon
twitter social icon
linkedin social icon
Enhance your password security

The best software to generate and have your passwords managed correctly.

TeamPassword Screenshot
Recommended Articles
Person using Telegram messaging service


May 14, 20249 min read

How End-to-End Encryption Ensures Secure Communication

Does end-to-end encryption offer better and more secure communication? Find out exactly what end-to-end encryption means, the benefits ...

A man typgin on a laptop while holding his phone, there are different security icons overlayed including a log in screen and a lock and masked password.


May 9, 202411 min read

5 Ways Adaptive Authentication Can Protect Your Business From Cyberattacks

Adaptive authentication can streamline access to your business systems whilst protecting your organization from cyberattacks. Here's how it ...

Two men sitting at a table, one on his phone and the other on a laptop. The words compliance, regulations, law, and standards are overlayed.


April 30, 20247 min read

SOC 2 password security compliance requirements in 2024

Security compliance is an ongoing, active process aimed at protecting an organization’s data, as well as the data ...

The Password Manager for Teams

TeamPassword is the fastest, easiest and most secure way to store and share team logins and passwords.