The Australian Communications and Media Authority (ACMA) alleged in a court document a huge data breach in 2022 on Optus’ systems was caused by a simple coding error which it failed to detect for four years.

The ACMA claims in a filing the cyberattack was not highly sophisticated or one that “required advanced skills or proprietary or internal knowledge” of the operator’s processes or systems, adding it was “carried out through a simple process of trial and error”.

The agency explained the design of databases for storing customers’ personal data left them vulnerable to attack once they “became internet facing” when a coding error was introduced in 2018. Optus detected and fixed the vulnerability in one system but not in another sub-system.

A cyberattacker accessed the sub-system by exploiting the coding error. 

Optus didn’t find the coding error until after the attack.

The cyberattack comprised personal information of more than 9.5 million former and current customers, the document noted. It added some customer data was published on the dark web. 

In May the agency filed court proceedings against the operator, alleging it failed to protect the confidentiality of its customers’ personal information from unauthorised interference or access during the data breach in 2022.

ACMA is seeking civil penalties against Optus for its failures.

Optus appointed Deloitte to independently review its security systems and controls, with a report due to be submitted to ACMA by 21 June.