Optus suffered a major breach that exposed personal information belonging to about 9.8 million current and former customers, including names, dates of birth, addresses, phone numbers, email addresses, and, for roughly 2.8 million people, passport or driver’s licence numbers. Australian officials publicly disputed Optus’s description of the intrusion as sophisticated, citing claims that an internet-exposed unauthenticated API and weak access controls enabled what the cybersecurity minister called a “basic hack,” while the company maintained a skilled criminal was responsible. The incident triggered investigations by the Australian Federal Police, the information commissioner, and ACMA, and intensified scrutiny of telecom-sector cyber oversight and penalties.
A BreachForums user claiming responsibility demanded about US$1 million and threatened to publish stolen records in batches before later posting an apology and claiming the data had been deleted, a statement authorities did not verify. The fallout included identity-theft warnings, state support for replacing compromised licences, Optus-funded document replacement and credit monitoring, customer backlash over poor communications, and at least one criminal case involving alleged misuse of the stolen data to blackmail victims. The breach also led to a Deloitte review, court fights over disclosure of that report, customer losses, and a large class action as Australia moved to strengthen information-sharing and cyber laws.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
15 events from the most recent confirmed update back to the earliest known activity.
In November 2023, Optus lost a court bid to keep secret a Deloitte report into the cause of the 2022 cyberattack. The ruling increased public scrutiny of how the breach occurred and how Optus handled the aftermath.
As of June 2023, regulatory and criminal investigations into the Optus breach were still underway, and a class action involving about 100,000 affected customers was in progress. The incident continued to drive legal and policy consequences in Australia.
By March 2023, Optus CEO Kelly Bayer Rosmarin said a skilled criminal was behind the attack and acknowledged that the company had lost customers following the breach. The statement reflected the continuing business impact months after the incident.
In November 2022, Optus said it would allocate A$140 million to cover the replacement of compromised identity documents and related remediation costs. CEO Kelly Bayer Rosmarin also publicly apologized as the company sought to address customer fallout.
Optus said it would pay the costs for customers needing to replace foreign passports exposed in the 2022 breach. The move expanded remediation beyond Australian identity documents to affected customers holding overseas passports.
Australia's information commissioner and the Australian Communications and Media Authority launched investigations into the Optus breach in October 2022. The probes added regulatory scrutiny alongside ongoing criminal inquiries.
Following the Optus breach, the Australian government moved to give telecommunications providers authority to share affected customer information with banks. The measure was intended to help financial institutions detect and prevent fraud against customers whose personal data had been exposed.
Police charged a 19-year-old Sydney man for allegedly using data from the Optus breach to blackmail 93 affected customers. The case showed that stolen customer information was already being used in follow-on criminal activity.
Australian state governments announced support for affected residents seeking replacement driver's licences and other identity documents after the breach. The measures were intended to reduce identity theft risks for customers whose official ID numbers were exposed.
Optus began contacting affected customers by email and SMS, warning them about scams and advising that legitimate notices would not contain hyperlinks. The company also offered Equifax Protect and other support to higher-risk customers whose identity document data was exposed.
Within days, the same BreachForums user posted an apology and said the stolen Optus data had been deleted, effectively withdrawing the ransom demand. Optus and the Australian Federal Police did not confirm the authenticity of the claim.
A user claiming to hold the stolen Optus data demanded about US$1 million and threatened to publish batches of records if unpaid. Reports said the extortionist threatened to release tens of thousands of records over several days.
By late September, Cybersecurity Minister Clare O'Neil publicly criticized Optus, calling the incident an unprecedented theft of consumer information and arguing it was not a sophisticated hack. Government agencies began assisting Optus, and officials highlighted regulatory gaps and inadequate penalties for such failures.
Soon after disclosure, Optus described the intrusion as a sophisticated attack, while an alleged attacker, an insider account, and Australian officials said the breach appeared to involve a publicly exposed unauthenticated API and basic security failures. The disagreement became a central part of the public response to the incident.
In September 2022, Optus experienced a breach that exposed personal data of up to 9.8–10 million current and former customers. Exposed information included names, dates of birth, contact details, addresses, and for many victims passport or driver's licence numbers.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
15 references tracked. Mallory keeps watching after this page renders.
theguardian.com
Open sourceen.wikipedia.org
Open sourcesmh.com.au
Open sourcesmh.com.au
Open sourcetheguardian.com
Open sourcetherecord.media
Open sourceabc.net.au
Open sourcetherecord.media
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.