Optus Data Breach 2022: Complete Timeline & What Australians Need to Know

What Happened: Optus Breach Summary

On September 22, 2022, a cyberattack on Optus exposed the personal information of 9.8 million current and former customers - approximately 40% of Australia's population.

What Was Stolen:

• Full names (9.8 million records)
• Dates of birth (9.8 million records)
• Phone numbers (9.8 million records)
• Email addresses (9.8 million records)
• Home addresses (9.8 million records)
• Driver's license numbers (2.8 million records)
• Passport numbers (1.2 million records)
• Medicare numbers (unknown exact number)

How It Happened: A hacker accessed an unsecured API (Application Programming Interface) that was exposed to the public internet without proper authentication. The API was used for Optus's internal customer database and should never have been accessible externally.

The Attacker: Initially claimed to be ransomware group "Optusdata" demanding $1 million USD. The attacker posted sample data publicly, then deleted posts and disappeared after widespread backlash. Identity remains unknown, though Australian Federal Police investigated.

Complete Timeline

March - August 2022: Vulnerability Exists

What We Now Know: The unsecured API that enabled the breach existed for months, possibly years, before the attack. Security researchers have stated that basic vulnerability scanning would have detected this exposure.

Red Flags Missed:

• API accessible without authentication
• No rate limiting on data queries
• Customer data returned in plaintext
• No monitoring or alerts on unusual access patterns

September 17-21, 2022: Initial Breach

Saturday, September 17: Evidence suggests the attacker began probing Optus systems, likely discovering the unsecured API through basic reconnaissance.

September 17-21: The attacker systematically extracted data from the API over several days. The slow extraction went undetected by Optus's security systems.

Why It Went Undetected:

• No real-time monitoring on API access
• No alerts for bulk data extraction
• Security team unaware of vulnerable endpoint

September 22, 2022: Breach Discovered

Thursday, September 22, Morning: Optus discovers unusual access patterns in system logs during routine review. Security team begins internal investigation.

12:00 PM AEST: Optus confirms unauthorized access to customer data. Executive team briefed.

4:30 PM AEST: Optus reports breach to Australian Cyber Security Centre (ACSC) and Office of the Australian Information Commissioner (OAIC).

Evening: Optus executives hold emergency meetings to assess scale and plan response.

September 22, 2022 Evening: First Public Sample

8:47 PM AEST: Hacker posts message on underground forum claiming to have stolen data of 11.2 million customers.

Sample Data Posted: The attacker shared 100 records as proof, including:

• Full names
• Dates of birth
• Phone numbers
• Addresses
• Driver's license numbers (partially redacted)

Forum Reaction: Cybersecurity community confirms data appears genuine based on formatting and information accuracy.

September 23, 2022: Optus Goes Public

7:00 AM AEST: Media outlets report the breach based on hacker's forum posts.

11:00 AM AEST: Optus CEO Kelly Bayer Rosmarin holds press conference confirming breach:

• "Approximately 9.8 million current and former customers" affected
• "We are devastated to discover we have been subject to a cyberattack"
• No admission of security failures

Public Reaction:

• Immediate anger over scope of breach
• Questions about security practices
• Concerns over identity theft risk

12:30 PM AEST: Australian Government responds. Minister for Cyber Security Clare O'Neil states: "Optus has effectively left the window open for data of this nature to be stolen."

Afternoon:

• Optus sets up dedicated helpline (immediately overwhelmed)
• Website resources page created (crashes due to traffic)
• Social media flooded with customer complaints

September 23-24: Ransom Demand

September 23, Evening: Attacker posts ransom demand on forum:

• Demand: $1,000,000 USD in Monero cryptocurrency
• Deadline: One week
• Threat: Release all data if not paid

Public Pressure:

• Australian Federal Police state they don't negotiate with criminals
• Cybersecurity experts warn paying ransom encourages attacks
• Public demands Optus not pay

September 24: Optus confirms they will not pay ransom. AFP launches criminal investigation.

September 27, 2022: Attacker Backs Down

Tuesday, September 27, Morning: In surprising turn, attacker posts apology on forum:

• "Too many eyes on me"
• "I apologize to Optus for this situation"
• Deletes all sample data
• Deletes ransom demand
• Disappears from forum

Theory on Why:

• Massive police attention from AFP and international agencies
• Public backlash made selling data difficult
• Hacker realized severity of targeting critical infrastructure
• Fear of identification and arrest

Data Status: While sample data was deleted, copies likely exist:

• Forum users may have saved samples
• Full database possibly sold privately before deletion
• Unknown if copies exist in other criminal forums

September 28, 2022: Government Response

Prime Minister Anthony Albanese: "This is a huge wake-up call for corporate Australia. Businesses need to lift their game on cyber security."

Minister Clare O'Neil: Announces new cybersecurity legislation to strengthen data protection requirements and breach notification.

Government Actions:

• Task force established to coordinate response
• Support for AFP investigation
• Review of critical infrastructure cybersecurity requirements

October 1, 2022: Optus Response Plan

Optus Announces:

1. Identity Monitoring (Free for 12 Months)

• Equifax identity monitoring service
• Credit report monitoring
• Dark web monitoring for stolen credentials

Criticism:

• Only 12 months when identity theft can occur years later
• Equifax itself had massive 2017 breach
• Should be lifetime monitoring given severity

2. Document Replacement Optus to cover costs of:

• New driver's licenses
• New passport applications

Issues:

• Confusing eligibility criteria
• Slow reimbursement process
• Some states charged customers upfront

3. Dedicated Support Team

• 24/7 helpline
• Dedicated website resources
• Email support

Reality:

• Wait times exceeded 4 hours
• Website frequently crashed
• Email responses took days

October 5, 2022: Scale Clarified

Optus Revises Numbers:

High-Risk Customers (ID Documents Stolen):

• 2.8 million driver's licenses
• 1.2 million passport numbers
• Smaller number of Medicare numbers

Medium-Risk Customers:

• 6.8 million with name, DOB, address, phone, email
• No ID document numbers

Lower-Risk:

• Email addresses or phone numbers only

Why This Matters: Customers with stolen ID documents face highest identity theft risk. Criminals can open bank accounts, apply for loans, or commit fraud using stolen licenses/passports.

October 14, 2022: State Government Responses

Free ID Document Replacement:

Victoria: Free driver's license replacement for affected Victorians (normal cost: $90)

New South Wales: Free driver's license replacement (normal cost: $59)

Queensland, SA, WA, TAS: Various replacement programs announced

Passport Replacement: Federal government announces streamlined process but not free (still $300+ for passport replacement)

Criticism:

• Optus should directly fund these costs
• Slow implementation of state programs
• Confusing eligibility and application processes

November 2022: Class Action Lawsuits

Slater & Gordon: Launches class action against Optus on behalf of affected customers.

Claims:

• Negligent data security practices
• Breach of contract (Optus promised to protect data)
• Breach of Privacy Act
• Failure to implement reasonable security safeguards

Potential Damages:

• Compensation for time spent changing documents
• Identity theft protection costs
• Emotional distress
• Future risk of identity theft

Other Law Firms: Multiple firms launch competing class actions. Eventually consolidated into primary action.

December 2022: Government Investigation

OAIC Investigation: Office of the Australian Information Commissioner launches formal investigation into Optus:

• Whether adequate security safeguards were in place
• Whether Optus responded appropriately to breach
• Whether Privacy Act was violated

Potential Penalties: Under Privacy Act 1988, maximum penalty was $2.22 million per breach (multiple breaches possible).

Note: New Privacy Act amendments (2024) increased maximum penalties to $50 million or 30% of turnover - but these weren't in effect during Optus breach.

February 2023: Technical Details Revealed

Security Researchers' Analysis:

What Went Wrong:

1. Unauthenticated API: Test API from 2017 merger left exposed to internet
2. No Rate Limiting: Attacker could query thousands of records without triggering alerts
3. Plaintext Data: Customer information stored and transmitted without encryption
4. No Monitoring: Bulk data extraction went unnoticed for days
5. Poor Security Culture: Basic vulnerabilities undetected for years

Expert Consensus: "This was not a sophisticated attack. This was basic security hygiene failure that should never have happened at a telecommunications company."

June 2023: AFP Investigation Update

Australian Federal Police: Investigation continues but no arrests announced. Challenges include:

• Attacker likely overseas (outside Australian jurisdiction)
• Used cryptocurrency and VPN (difficult to trace)
• Deleted evidence after backing down
• International cooperation required

Status: As of January 2025, no public arrests or charges announced.

September 2023: One Year Later

Optus Statement: One year anniversary of breach. CEO Kelly Bayer Rosmarin issues statement:

• "We deeply regret this incident"
• Outlines security improvements made
• Confirms identity monitoring continues for affected customers

Security Improvements Claimed:

• Enhanced API security and authentication
• 24/7 security operations center
• Increased cybersecurity investment
• Third-party security audits

Public Skepticism: Many affected customers remain angry about inadequate security and slow response.

November 2023: CEO Resigns

Kelly Bayer Rosmarin Steps Down: Optus CEO resigns following continued criticism over:

• 2022 data breach
• Separate November 2023 nationwide outage (12+ hours)
• Loss of public trust

Interim CEO: Michael Venter appointed as interim CEO.

March 2024: Class Action Settlement

Settlement Announced: Optus agrees to settle class action lawsuit.

Terms:

• Compensation fund established
• Amounts per affected customer vary by impact level:
  • High risk (stolen ID documents): Estimated $100-150
  • Medium risk (no ID documents): Estimated $50-80
  • Low risk: Smaller amounts
• Extended identity monitoring (additional 12 months)
• Legal fees paid separately

Criticism:

• Compensation amounts seen as inadequate
• "Slap on the wrist" for major security failure
• Should be much higher penalties

Claims Process: Affected customers must register and prove they were Optus customers during breach period.

What Data Was Actually Stolen?

Confirmed Stolen Information

Personal Details (9.8 Million Records):

• Full legal names
• Dates of birth
• Phone numbers (mobile and home)
• Email addresses
• Home addresses (current and historical)

Identity Documents (Subset of 9.8 Million):

• Driver's Licenses: 2.8 million records
  • License numbers
  • State of issue
  • Expiry dates
• Passport Numbers: 1.2 million records
  • Passport numbers
  • Country of issue
  • Expiry dates
• Medicare Numbers: Unknown exact count
  • Medicare card numbers
  • Position on card
  • Expiry dates

Account Information:

• Customer account numbers
• Service types (mobile, internet, etc.)
• Account creation dates
• Some payment card last 4 digits (limited number)

What Was NOT Stolen

Financial Data:

• Full credit card numbers (only last 4 digits in some cases)
• Bank account details
• Payment history
• Billing information (beyond account numbers)

Communication Content:

• Call recordings
• SMS message content
• Internet browsing history
• Email content

Passwords:

• Optus account passwords (hashed and not accessible via API)
• Other passwords (not stored by Optus)

Identity Theft Risks & Real-World Impact

What Criminals Can Do With Stolen Data

High-Risk (ID Documents Stolen):

1. Open Bank Accounts Criminals use stolen license/passport to open accounts in your name. These accounts used for money laundering or fraud.

2. Apply for Credit Apply for credit cards, personal loans, or buy-now-pay-later schemes using your identity. You discover debt when collections agencies contact you.

3. SIM Swap Attacks Visit phone store with fake ID (your stolen license) and request new SIM card for your number. Gain access to 2FA codes for banking, email, social media.

4. Tax Fraud Lodge fraudulent tax returns in your name to claim refunds.

5. Create False Identity Documents Use your details to create fake licenses or other documents for criminal activities.

Medium-Risk (Personal Details Only):

1. Phishing Attacks Send targeted emails with your name, address, and phone knowing you're Optus customer. More convincing scams.

2. Credential Stuffing If you reuse passwords, criminals try Optus email/phone with common passwords on other sites.

3. Social Engineering Call pretending to be Optus, bank, or government using your personal details to build trust.

Reported Real-World Cases

SIM Swap Fraud: Multiple Optus breach victims reported unauthorized SIM swaps at Optus stores. Criminals used fake IDs created from stolen data.

Phishing Campaigns: Increase in targeted phishing emails referencing Optus breach and offering "security checks" or "compensation." Many victims fooled by legitimate-looking emails using real personal details.

Credit Application Fraud: Several reported cases of credit card applications in victims' names. Only discovered when collections agencies made contact.

Tax Fraud Attempts: ATO reported increase in fraudulent tax returns using details matching Optus breach data.

What Optus Did (And Should Have Done)

What Optus Did

Immediate Response:

• Shut down vulnerable API
• Reported breach to authorities (OAIC, AFP)
• Set up helpline and website resources

Customer Support:

• 12-month identity monitoring (Equifax)
• Covered document replacement costs
• Extended support helpline

Security Improvements:

• Enhanced API authentication requirements
• Increased cybersecurity investment
• Third-party security audits
• 24/7 security operations center

What Optus Should Have Done

Before the Breach:

• Basic security audits would have found unsecured API
• Implement API authentication (standard practice)
• Enable rate limiting on data queries
• Monitor unusual access patterns
• Regular penetration testing
• Follow OAIC security guidelines

After the Breach:

• Lifetime identity monitoring (not just 12 months)
• Higher compensation for affected customers
• More transparent communication
• Faster document replacement process
• Proactive outreach to high-risk customers

Industry Standards: Telecommunications companies hold massive amounts of sensitive data and should exceed minimum security standards. The breach revealed Optus failed to meet even basic standards.

How to Protect Yourself After Optus Breach

Immediate Actions (If Affected)

1. Register for Identity Monitoring Optus provided 12 months free Equifax monitoring. Register even if you don't think you're high-risk.

2. Replace ID Documents If your driver's license or passport number was stolen:

• Apply for new driver's license (free for affected customers in most states)
• Consider new passport (required for international travel security)
• Update details with all services using old documents

3. Enable 2FA Everywhere Especially critical on:

• Banking and superannuation
• myGov and Medicare
• Email (Gmail, Outlook, etc.)
• Social media
• Optus account itself

4. Set Up Credit Monitoring

• Check credit report free at: Equifax, Experian, illion
• Look for unknown accounts or credit applications
• Consider credit ban (prevents new credit applications)

5. Update Passwords Use unique passwords for every account. Use password manager like 1Password or Bitwarden (reviewed on this site).

Ongoing Monitoring (Next 5-10 Years)

Identity theft can occur years after breach.

Monthly:

• Check bank and credit card statements for unknown transactions
• Review superannuation account for unusual activity
• Check credit report for new applications

Annually:

• Request full credit report from all three agencies
• Review ATO MyGov for fraudulent tax returns
• Update passwords on critical accounts

If You Detect Fraud:

1. Contact institution immediately (bank, credit provider)
2. Report to IDCARE (Australian identity theft support): 1800 595 160
3. Report to AFP ReportCyber: cyber.gov.au/report
4. Document everything for potential legal action

Prevention for Future Breaches

Use Unique Passwords: Password managers generate and store unique passwords per site. If one site breached, other accounts protected.

Enable 2FA: Even if password stolen, attacker needs second factor (phone, authenticator app, hardware key).

Monitor Credit Reports: Set up monitoring to be alerted to new credit applications immediately.

Consider VPN: VPN encrypts internet connection, protecting data from interception. Read our VPN comparison for Australians.

Limit Information Shared: Only provide ID documents when legally required. Question whether businesses actually need your license or passport.

Lessons Learned & Industry Impact

For Consumers

1. No Company Is Safe Even major telecommunications companies with massive IT budgets can have basic security failures.

2. Your Data Will Be Breached Eventually Assume every company holding your data will eventually be breached. Prepare accordingly.

3. Unique Passwords Are Essential Password reuse means one breach compromises all accounts.

4. 2FA Is Critical Two-factor authentication prevents most unauthorized access even if password stolen.

5. Monitor Your Credit Identity theft can occur years after breach. Ongoing monitoring is essential.

For Businesses

1. Security Basics Matter Sophisticated attacks get headlines, but Optus breach was caused by leaving API exposed without authentication - a basic failure.

2. Test APIs and Endpoints Any endpoint accessible from internet must have authentication and monitoring.

3. Monitor Access Patterns Bulk data extraction should trigger immediate alerts.

4. Regular Security Audits Third-party penetration testing would have found Optus vulnerability.

5. Security Culture Security must be priority at all levels, not afterthought.

For Government & Regulators

1. Stronger Penalties Required $2.22 million maximum penalty was inadequate for breach affecting 9.8 million people.

2. Mandatory Security Standards Critical infrastructure companies should meet minimum security standards.

3. Faster Breach Notification Customers should be notified within 24 hours, not days.

4. Lifetime Identity Protection Companies causing breaches should fund lifetime identity monitoring, not just 12 months.

5. Criminal Consequences Executives responsible for security failures should face personal consequences.

Regulatory Changes Since Optus

Privacy Legislation Amendment (2024):

• Maximum penalties increased to $50 million or 30% of turnover
• Stricter breach notification requirements
• Enhanced OAIC enforcement powers
• Mandatory security safeguards defined

Telecommunications Security Standards: Increased requirements for telecommunications providers handling customer data.

Frequently Asked Questions

Frequently Asked Questions

Was I affected by the Optus breach?

What should I do if my driver's license number was stolen?

How long should I monitor for identity theft after the Optus breach?

Can I get compensation from Optus for the breach?

Should I switch from Optus to another provider?

What is a SIM swap attack and how do I prevent it?

Has anyone been arrested for the Optus breach?

Why did the hacker apologize and delete the data?

What was the actual security flaw that caused the breach?

Should I get a new passport after the Optus breach?

Conclusion

The 2022 Optus data breach was a watershed moment for Australian cybersecurity. 9.8 million Australians - 40% of the population - had personal data exposed due to basic security failures at one of the nation's largest telecommunications companies.

Key Facts:

• Cause: Unsecured API left exposed without authentication
• Stolen: Names, addresses, DOB, phone, email, 2.8M licenses, 1.2M passports
• Impact: Identity theft risk for years, SIM swap fraud, phishing campaigns
• Response: 12-month identity monitoring, document replacement, class action settlement
• Compensation: $50-150 per victim (inadequate for scale of breach)

What We Learned:

• No company is immune to breaches
• Basic security hygiene failures cause major incidents
• Identity theft risk persists for years after breach
• Consumers must take proactive protection steps
• Regulatory penalties were inadequate (now strengthened)

Protect Yourself:

1. Use unique passwords for every account (password manager recommended)
2. Enable 2FA on critical accounts (banking, myGov, email)
3. Monitor credit reports every 3 months
4. Replace compromised ID documents
5. Set up fraud alerts with banks and credit agencies

Related Resources:

• Australian Data Retention Laws Explained
• Best Password Manager for Australians 2025
• Best VPN for Australians 2025

The Optus breach demonstrated that even major companies can fail basic security. The best protection is taking control of your own security through unique passwords, two-factor authentication, and vigilant monitoring.

---

Last Updated: January 15, 2025 Sources: OAIC, AFP, Optus public statements, media reports, court documents Status: Class action settled, AFP investigation ongoing, no arrests announced

Have questions about the Optus breach? Contact us at hello@auprivacykit.com