In September 2022, Optus disclosed that an attacker had accessed and exfiltrated the personal information of approximately 9.8 million current and former customers. The information included names, dates of birth, phone numbers, email addresses, and identity document numbers.
The Root Cause
The attacker accessed an API that was exposed to the internet without authentication. The endpoint — likely used for testing or development — had not been decommissioned and was not protected by any access controls. No credential compromise was required. The attacker simply sent requests to a publicly accessible URL.
Why This Is Not Just an Enterprise Problem
APIs power modern web applications, mobile apps, and cloud integrations. Many businesses have web-facing APIs they may not be fully aware of — created during development, left in place after a product change, or introduced by a third-party integration. An inventory of internet-facing assets is not optional for any business handling personal data.
Identity and Access Principles
The Optus incident reinforces three principles: all internet-facing endpoints must require authentication, development and test environments must be isolated from production data, and regular reviews of external attack surface — what is actually visible from the internet — should be a standard security practice.
The Regulatory Response
The Optus breach accelerated the Australian Government's Privacy Act reform agenda. Changes to notification timeframes, penalty levels, and the scope of mandatory breach reporting were all influenced by the public and political response to this incident.
How do we know what is exposed on our internet attack surface?
An external attack surface assessment — scanning your internet-facing infrastructure from an attacker's perspective — identifies exposed services, APIs, and management interfaces that should not be publicly accessible. This is a standard component of a penetration test and a valuable standalone exercise.
