Optus, which was the target of a 2022 cyber attack that threatened the personal information of more than 9 million of its customers, has disputed the Australian communications regulator’s assessment of the attack as not being “highly sophisticated”.

The telco is in the middle of a Federal Court battle against the Australian Communications and Media Authority (ACMA) after the latter claimed the Singapore-owned company failed to protect confidential customer information before it was hit by an attack online between September 17-20. , 2022.

In its statement filed last week, the ACMA claims the hack “was not a highly sophisticated cyber attack and did not require advanced skills” and that it “was carried out through a process of trial and error,” Australian Financial reported Review.

Meanwhile, the telco disputes that view and said: “The cyberattacker began the cyberattack with a high degree of knowledge of Optus systems, including certain (expletive) that were proprietary and confidential to Optus.”

Details of Optus’ defense released by the courts have been redacted, including in which databases personal customer information was stored.

Information about the company’s security measures and how the cyber attacker avoided detection alerts was also redacted.

The ACMA alleges that a publicly accessible internet domain known as a “target domain” was easily identified by examining Optus’ websites or mobile sites.

“As of July 12, 2018, a post on the GitHub.com website identified the target domain and code to retrieve data using one of the target APIs (application programming interfaces),” ACMA said.

It appears that the cyberattack was able to access customers’ personal information due to a coding error in September 2018 that did not adequately protect the target domain (api.www.optus.com.au) as well as Optus’ main domain (www .optus). com.au), ACMA claims.

The telco says the cyber attacker was able to read the data of around 9.5 million people stored in Singtel Optus databases and that the data of 10,198 people was published on the internet.

While he admitted his mobile business collected personal information from his customers, he denied it “owns” information such as driving license numbers, Medicare card numbers, birth certificate details and names and addresses.

“Personal information was stored in databases owned by Optus Systems Pty Limited, another entity within the Optus group of companies, also accessible by Optus Mobile for authorized purposes,” the company said.

The ACMA alleges that Optus’ actions breached the Australian Telecommunications Act on at least 3.6 million occasions. Each misdemeanor carries a maximum penalty of $250,000.

A new twist in the whole saga came when Optus hired Deloitte to carry out an independent external review of the cyber attack and its security systems, controls and processes, but then launched a legal battle to stop Deloitte’s report from be released as part of class action proceedings brought. by Slater & Gordon on behalf of telecommunications group clients.

Optus has already lost its legal battle to keep Deloitte’s report secret, and while that report will not be made public, some of the information in the report could become public through class action proceedings.

The court ordered copies not only of the Deloitte report, but also of another report investigating the issue, prepared in December 2022 by US cybersecurity firm Mandiant, a subsidiary of Google.

Apart from the 2022 incident, the telco also faced an unplanned outage towards the end of last year. It suffered an annual net loss of $480 million for the 12 months to March 31 this year, six times the $79 million loss a year earlier.