Description: The Optus breach in 2022 involved attackers stealing millions of customer records through an unauthenticated API endpoint. This incident cost the telecom company $140 million AUD in fallout. The vulnerability was easy to exploit and similar issues are still being found in major organizations.

Description: Dennis Su, 19, texted 93 of the telco's customers, demanding they transfer $2000 to a CBA bank account He threatened them for exposing personal information being used for financial crimes. He was having a difficult time being unemployed and wanted to make some quick money.

Description: In September 2022, Optus, a major Australian telecommunications provider, suffered a massive data breach involving unauthorized access to the personal information of approximately **9.5 million Australians**—nearly **40% of the country’s population**. The exposed data included highly sensitive details such as **names, birth dates, addresses, contact information, and government-issued identifiers (passport, Medicare, and driver’s license numbers)**. A portion of the stolen data was later **leaked on the dark web**, increasing risks of identity theft, financial fraud, and phishing attacks. The Australian Information Commissioner (AIC) alleged that Optus **failed to implement reasonable security measures** between **October 2019 and September 2022**, violating the **Privacy Act 1988**. The breach stemmed from an **unsecured API endpoint**, allowing attackers to exploit weak authentication controls. The AIC is pursuing **civil penalties of up to AUD $2.22 million per affected individual**, potentially resulting in one of the largest fines in Australian data protection history. The incident severely damaged Optus’s reputation, triggered regulatory scrutiny, and prompted nationwide calls for stricter cybersecurity laws.

Description: The Australian Information Commissioner (AIC) has launched civil action against Optus for a 2022 data breach that exposed the personal details of 9.5 million Australians. The breach involved sensitive personally identifiable information, including names, dates of birth, home addresses, phone numbers, email addresses, and government-related identifiers such as passport numbers, driver’s licence numbers, and Medicare card numbers. The attackers exploited a misconfigured API to access the dataset without authentication and issued a ransom demand. Although Optus prevented the theft of payment details and account passwords, a portion of the stolen data was leaked online. The AIC alleges Optus failed to take reasonable steps to protect the data, potentially facing significant financial penalties.

Description: In August 2025, Australia’s privacy regulator filed a landmark lawsuit against **Optus** over a **2022 data breach** that exposed the personal information of **9.5 million customers**. The breach, one of the largest in Australian history, involved unauthorized access to sensitive customer data, including names, dates of birth, phone numbers, email addresses, and in some cases, government-issued identification numbers (e.g., driver’s license or passport details). The potential regulatory fines could reach **A$2.2 million per affected individual**, totaling a catastrophic financial penalty exceeding **A$20 billion** if applied at maximum scale.The incident underscored systemic vulnerabilities in third-party data handling, particularly in highly regulated sectors like financial services and telecommunications. The breach not only triggered massive reputational damage but also led to a surge in fraudulent activities targeting affected customers, including identity theft and phishing scams. Optus faced intense scrutiny from regulators, lawmakers, and the public, with the case setting a precedent for stricter enforcement of data protection laws in Australia. The fallout also accelerated industry-wide shifts toward **localized, no-retention software solutions** to mitigate similar risks in the future.

Description: Hackers have breached Optus’ systems. They accessed names, dates of birth, phone numbers, email addresses, physical addresses and driver’s licence numbers of millions of the telecommunications giant’s customers. Up to 9 million customers had been affected. Many had their contact details exposed to the hackers, who also pilfered even more sensitive details, such as passport and drivers’ licence numbers, for a smaller portion of Optus customers.

Description: Optus, a telecommunications company suffered a data breach that exposed the private information of 10,000 account holders. The hackers, OptusData, demanded a ransom payment of about AUD$1.5 million in Monero cryptocurrency and said 10,000 records would be released daily until the cash is paid. According to the ransom note, more than 3.8 million "identity document numbers", 3.2 million driver's license numbers and four million user data records were exposed in the breach.

Description: The personal identification information of about 129,000 customers of Singtel was breached in a cyber attack on data transfer software, Accellion’s FTA that it uses. The stolen data includes name, date of birth, phone number, and address of the customers along with bank account information of some former employees.