2022 Optus data breach

Last updated

In September 2022, Australian telecommunications company Optus suffered a data breach that affected up to 10 million current and former customers comprising a third of Australia's population. Information was illegally obtained, including names, dates of birth, home addresses, telephone numbers, email contacts, and numbers of passports and driving licences. Conflicting claims about how the breach happened were made; Optus presented it as a complicated attack on its systems while an Optus insider and the Australian Government said a human error caused a vulnerability in the company's API. A ransom notice asking for A$1,500,000 to stop the data from being sold online was issued. After a few hours, the data thieves deleted the ransom notice and apologised for their actions.

Contents

Government figures, including Home Affairs and Cyber Security Minister Clare O'Neil, and Minister for Government Services Bill Shorten, criticised Optus for its role in the attack, and for being uncooperative with government agencies and the public. The government announced legislation, including the allowance of information-sharing with financial services and government agencies, and reforms to Australia's laws on security of critical infrastructure to help the government act in the event of future breaches. [1] In response to the data breach, Optus agreed to pay for the replacements of compromised passports, commissioned an external review, and gave seriously affected customers a subscription to a credit monitoring service. Optus also apologised for the breach. Customers criticized Optus for not being responsive and providing inadequate responses to those affected. As of June 2023, investigations into the breach and a class-action lawsuit from affected customers were ongoing.

Background

Optus, an Australian telecommunications company, was founded in 1981 with the formation of the government-owned satellite-communications company AUSSAT. [2] AUSSAT was privatised in 1991 and sold to a consortium that included Mayne Nickless and AMP Limited. [3] In 2022, Optus was Australia's third-largest telecommunications company with a 13.1% market share. [4] In September 2022, Optus had around 10 million customers, comprising more than a third of Australia's population of around 26.12 million people. [5] [6]

Breach

On 20 September 2022, Optus's technical team noticed and investigated suspicious activity on its network. The next day, Optus's systems were found to have sustained a data breach and regulators were informed. On 22 September, the company publicly announced the data breach and informed news agencies. [5] [7] Optus advised the public to be vigilant for potential fraudulent activity but stated it did not know whether the breach had caused any harm to customers. Optus did not state how many customers were affected or whether the theft of data had caused harm. [8] Illegally obtained Information included names, dates of birth, home addresses, telephone numbers, email contacts, and passport and driving-licence numbers. [5]

Ransom note left by the person believed to be behind the breach 2022 Optus data breach ransom note.png
Ransom note left by the person believed to be behind the breach

On 23 September, Optus denied an insider's claims a mistake in which its application programming interface (API) had accidentally been left exposed to a test network that had access to the Internet had occurred. The company also said a complicated breach had occurred and that it had a strong cybersecurity system. [9] The Australian Broadcasting Corporation (ABC) was told Optus believed the hacker had scraped the company's consumer database, and that a third of the data in the database had been copied and extracted. [9]

On 24 September, Optus and the Australian Federal Police (AFP), which had opened a criminal investigation, received reports data from the leak was being sold online and were monitoring the dark web for any attempt to sell the data. [10] The same day, a user on the website BreachForums posted a ransom note; some cybersecurity experts believed the note was genuine but Optus and the AFP did not confirm its genuineness. The note demanded Optus pay $1,500,000 in the privacy-focused cryptocurrency Monero, provided a sample of data from 200 customers, and said the data thieves would release the personal information of 10,000 customers every day if Optus did not pay the ransom until a week elapsed. After the week elapsed, the thieves would sell the data for A$400,000 to anyone who wanted them. [11] After several hours, the user deleted their original post and appeared to apologise for their actions despite no ransom being paid, stating it was a "mistake to scrape publish [sic] data in first place" [11] and that too many people were paying attention to the breach. The user noted they would have reported the exploit they used if they had the ability to contact Optus, noting the lack of a secure mail, a messaging contact and bug bounties. [11]

Government response

Home Affairs and Cyber Security Minister Clare O'Neil said Optus was at fault for the attack, refuting Optus's argument the attack was complicated. O'Neil also stated the attack should not have happened, stating: "Responsibility for the security breach rests with Optus[,] and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country". [12]

On October 6, the federal government announced an emergency regulation to temporarily allow drivers licences, Medicare information, and passport numbers to be shared with financial services, the Commonwealth, and state and territory agencies to assist monitoring of accounts of customers affected by the breach for potential scams or fraud. Financial institutions had to commit to several actions to receive the data, including honouring privacy obligations and deleting data once it has been used. The Council of Financial Regulators was asked to identify and report on changes to financial instructions to identify customers who were at risk of scams and fraud. The changes were in place for 12 months. Treasurer Jim Chalmers stated the measures would help protect customers from scams and detect fraud. [13]

O'Neil expressed frustration at the lack of ability for the government to intervene in the data breach, its inability to assist with the clean-up or compel Optus to give government services information. She stated Australian law had no use for the government when needed because Australia's laws governing security of critical infrastructure only allowed the government to intervene while a data breach was occurring. [14]

Following the breach, several new security measures to protect victims from fraud, including banks being more-quickly informed of data breaches to prevent the use of data to fraudulently access bank accounts, were announced. [15] The federal government announced an overhaul of the $1.7 billion cybersecurity plan introduced by the previous government, including additional powers to intervene in cybersecurity. The government also considered a Cyber Security Act to create standards and obligations for industry and government, and a reform to the Security of Critical Infrastructure Act to bring customer data and systems under the definition of "critical infrastructure", allowing the government to intervene in major data breaches. [16]

In April 2023, the National Office of Cyber Security was founded with five full-time staff and no additional funding beyond what was already given to the Department of Home Affairs. [17] In June 2023, Air Marshal Darren Goldie was appointed as Australia's inaugural Cyber Security Coordinator. [18] In November 2023, Goldie was recalled to the Department of Defence regarding a workplace matter, and cyber-and-infrastructure security head Hamish Hansford took on the position in the interim. [19]

On 27 February 2023, Prime Minister Anthony Albanese and O'Neil hosted a roundtable with industry and civil society groups on cybersecurity following the data breach. A discussion paper was released regarding the role of the federal government in increasing Australia's cybersecurity capability. [16] [20]

The state governments of Queensland, Victoria, South Australia and Western Australia agreed to pay for the replacement of driver's licences for people whose driver's licence numbers were compromised by the breach. [21] [22] In Victoria, plans to add a second number to driver's licences were quickly enacted; all victims of the breach received the second number as part of their replacements, to protect Victorians from identity theft. [23]

Optus response

Optus's headquarters at Macquarie Park, where the "war room" was located Optus Macquarie Park - panorama.jpg
Optus's headquarters at Macquarie Park, where the "war room" was located

On the day the breach was announced, Optus set up a "war room" at its headquarters in Macquarie Park, New South Wales. This involved around 150 employees, and was headed by former Premier of New South Wales Gladys Berejiklian and regulatory and public affairs head Andrew Sheridan. [24]

Optus commissioned Deloitte to perform an "independent external review" regarding the breach. [25] Optus also offered its "most affected" customers a 12-month subscription to credit-monitoring service Equifax Protect after O'Neil requested the company buy credit monitoring for its customers in Question Time. [26] Optus CEO Kelly Bayer Rosmarin apologised for the attack on behalf of the company. [27] Optus reserved $140 million for costs relating to the breach, including the replacement of hacked identity documents, Equifax Protect subscriptions, and the Deloitte review. [27] Optus promised to pay for the replacement of compromised Australian and foreign passports. [28]

Optus reported 2.1 million of its customers had had identity documents stolen in the hack. Of these, 1.2 million had at least one current, valid number from a form of personal identification stolen. The remaining 900,000 customers had expired identity numbers stolen. [29]

Services Australia accused Optus of a lack of communication. On 27 September, Services Australia wrote to Optus "asking for the full details of all affected customers with Services Australia credentials exposed, such as Medicare cards and/or Centrelink concession cards". [14] Minister for Government Services Bill Shorten stated a week later, Services Australia had not received any data from Optus, which said it was "in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take". [14] There was also confusion about the number of stolen Medicare ID numbers; Shorten told a press conference around 36,900 ID numbers had been stolen and Optus said 14,900 ID numbers had been stolen. [14]

Customers also reported having problems communicating with Optus. Customers stated Optus could not confirm their personal information was part of the data breach. Customers reported after contacting Optus several times, the company's chatbot failed to understand customers' questions about the breach, sales representatives gave poor responses, they did not receive a response from Optus at all, and there were delays in warning customers of compromised personal information. One customer stated: "Ultimately, we are sitting ducks for identity theft, and given that we can’t change our dates of birth, address or names, there isn’t much we can do about it, which is incredibly frustrating". [26]

On 8 March 2023, Bayer Rosmarin restated Optus's claim the attack was sophisticated, stating at a business summit: "[t]he skilled criminal had knowledge of Optus' systems and cycled through many tens of thousands of internet protocol addresses in an attempt to evade our automated cyber monitoring". [30] She also stated Optus never paid a ransom to the hacker and that the main reason for the breach was other scam purposes. [30]

In November 2023, Bayer Rosmarin resigned as CEO of Optus after the 2023 Optus outage; there had been mounting pressure on her to resign due to the outage and the date breach. [31]

On 6 October 2022, the Australian Federal Police (AFP) arrested a 19-year-old Sydney man Dennis Su in his home at Rockdale for blackmailing 93 breach-affected Optus customers. Su said he would commit financial crimes using the customers' personal data unless they paid him A$2,000, which none did. He was charged with one count of using a telecommunication network with intent to commit a serious offence and one count of dealing with identification information with intent to commit an offence. AFP Assistant Commissioner Justine Gough stated Su was not suspected of being responsible for the breach and warned people not to click on links claiming to be from Optus. [32] Su pleaded guilty in November 2022; he did not go to jail due to a guilty plea, his age, and remorse shown for his actions, and he received an 18-month community corrections order. [33]

On 11 October, the Office of the Australian Information Commissioner (OAIC) launched an investigation into the breach, Optus's handling of customers' personal data, whether Optus took reasonable steps to protect consumers affected by the breach from fraud, misuse, or loss, and whether Optus needed to keep the collected information. The Australian Communications and Media Authority (ACMA) also launched an investigation into the breach, focusing on Optus's obligations to protect and dispose of personal data. [34] The federal government gave OAIC $5.5 million to investigate the breach over two years in its October 2022 budget. [25]

Law firm Slater & Gordon launched a class action alleging Optus "breached laws and its own policies by failing to adequately protect customer data and destroy or de-identify former customer data". The ongoing class action was joined by 100,000 current and former Optus customers who wanted compensation for losses, including the time to replace identification documents and the stress it caused. Optus stated it would defend its actions. [35] [36] In court, Slater & Gordon lawyers requested the public release of the Deloitte report, arguing it could reveal the possible causes of the data breach. Optus declined to release the report despite Bayer Rosmarin stating in March 2023 Optus would share "key recommendations and learnings" [37] from the report. [37] [38] In November 2023, Optus lost a bid to keep the report confidential. [39]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

Singtel Optus Pty Limited is an Australian telecommunications company headquartered in Macquarie Park, a suburb in the Northern Sydney region of Sydney, New South Wales, Australia. It is a wholly owned subsidiary of Singaporean telecommunications company Singtel.

<span class="mw-page-title-main">Equifax</span> American consumer credit reporting agency

Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. In addition to credit and demographic data and services to business, Equifax sells credit monitoring and fraud prevention services directly to consumers.

<span class="mw-page-title-main">Clare O'Neil</span> Australian politician (born 1980)

Clare Ellen O'Neil is an Australian politician who is the Minister for Home Affairs and Minister for Cyber Security, since 2022. She is a member of the Australian Labor Party (ALP) and has been a member of the House of Representatives since 2013, representing the Victorian seat of Hotham.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack.

The Anthem medical data breach was a medical data breach of information held by Elevance Health, known at that time as Anthem Inc.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

In 2013 and 2014, the Internet service company Yahoo was subjected to two of the largest data breaches on record. Neither breach was revealed publicly until September 2016.

<span class="mw-page-title-main">Okta, Inc.</span> American information technology company

Okta, Inc. is an American identity and access management company based in San Francisco. It provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices. It was founded in 2009 and had its initial public offering in 2017, being valued at over $6 billion.

The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

In mid-May 2021 hospital computer systems and phone lines run by the Waikato District Health Board (DHB) in New Zealand were affected by a ransomware attack. On 25 May, an unidentified group claimed responsibility for the hack and issued an ultimatum to the Waikato DHB, having obtained sensitive data about patients, staff and finances. The Waikato DHB and New Zealand Government ruled out paying the ransom.

The 2023 Optus outage was an unplanned outage of all Optus internet, cellular and fixed-line services in Australia first detected on 8 November 2023 at 04:05 AEDT. The outage caused disruption across government and corporate sectors including hospitals, banks, train services, EFTPOS payment systems, and calls to emergency services. Restoration was gradual with some services being restored around 13:00 AEDT. The outage directly affected more than 10 million people and 400,000 businesses across Australia.

References

  1. Crozier, Ry (1 October 2022). "Australian police, banks join forces to monitor leaked Optus dataset". iTnews. Archived from the original on 30 September 2022. Retrieved 17 October 2023.
  2. "Australia's History in Satellite Technology". The Lowdown. 8 June 2007. Archived from the original on 8 June 2007. Retrieved 3 January 2024.
  3. Gray, Joanne (20 November 1991). "Optus Chosen to Take on Telecom". Australian Financial Review . Retrieved 3 January 2024.
  4. Bradstock, Emma (18 August 2022). "Largest Internet Providers in Australia". Canstar Blue. Archived from the original on 10 June 2023. Retrieved 10 June 2023.
  5. 1 2 3 Turnbull, Tiffanie (29 September 2022). "Optus: How a massive data breach has exposed Australia". BBC News. Archived from the original on 16 May 2023. Retrieved 16 May 2023.
  6. "National, state and territory population – September 2022". Australian Bureau of Statistics. 16 March 2023. Retrieved 3 April 2024.
  7. Smith, Paul (21 December 2022). "Inside the Optus hack that woke up Australia". Australian Financial Review. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  8. McElroy, Nicholas (22 September 2022). "Optus says customer information compromised in cyber attack". ABC News. Archived from the original on 23 September 2022. Retrieved 16 May 2023.
  9. 1 2 Greene, Andrew (23 September 2022). "Optus rejects insider claims of 'human error' as possible factor in hack affecting millions of Australians". ABC News. Archived from the original on 24 September 2022. Retrieved 16 May 2023.
  10. Belot, Henry (24 September 2022). "AFP monitoring dark web amid allegations stolen Optus data may be sold online". ABC News. Archived from the original on 18 May 2023. Retrieved 16 May 2023.
  11. 1 2 3 Maguire, Dannielle (27 September 2022). "An alleged hacker has offered their 'deepest apologies' to Optus. Here's the latest on the data breach". ABC News. Archived from the original on 3 October 2022. Retrieved 16 May 2023.
  12. Evans, Jake (26 September 2022). "Home affairs minister says Optus 'left window open' for cyber criminals". ABC News. Archived from the original on 27 September 2022. Retrieved 16 May 2023.
  13. Evans, Jake (6 October 2022). "Optus given temporary power to share compromised data with banks following hack". ABC News. Archived from the original on 9 October 2022. Retrieved 17 May 2023.
  14. 1 2 3 4 Crozier, Ry. "Services Australia struggles to gauge exposure to Optus data breach". iTnews. Archived from the original on 18 May 2023. Retrieved 18 May 2023.
  15. Speers, David; Greene, Andrew (28 September 2022). "Federal government to unveil new security measures following massive Optus data breach". ABC News. Archived from the original on 17 May 2023. Retrieved 17 May 2023.
  16. 1 2 Evans, Jake (26 February 2023). "Federal government to rewrite cyber laws after Optus, Medibank hacks". ABC News. Archived from the original on 17 May 2023. Retrieved 17 May 2023.
  17. Sadler, Denham. "Govt fires up National Cyber Security Office". Information Age. Retrieved 3 January 2024.
  18. ACSM Admin (23 June 2023). "Australia's New National Cyber Security Coordinator - Australian Cyber Security Magazine" . Retrieved 3 January 2024.
  19. Bajkowski, Julian (15 November 2023). "O'Neil's National Cybersecurity Coordinator sent back to Defence". The Mandarin. Retrieved 3 January 2024.
  20. Foster, Jeffrey (28 February 2023). "Australia has a new cybersecurity agenda. Two key questions lie at its heart". The Conversation. Archived from the original on 19 May 2023. Retrieved 19 May 2023.
  21. Yosufzai, Rashida; Bahr, Jessica. "Optus data breach: What to do about replacing your driver's licence and passport". SBS News. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  22. Cowie, Tom (29 October 2022). "VicRoads to issue almost 1 million free driver's licences after Optus hack". The Age. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  23. Cowie, Tom (29 October 2022). "VicRoads to issue almost 1 million free driver's licences after Optus hack". The Age. Archived from the original on 3 June 2023. Retrieved 15 June 2023.
  24. Smith, Paul (21 December 2022). "Inside the Optus hack that woke up Australia". Australian Financial Review. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  25. 1 2 Branco, Jorge (26 October 2022). "Privacy watchdog given $5.5 million to investigate Optus cyber breach". www.9news.com.au. Archived from the original on 18 May 2023. Retrieved 18 May 2023.
  26. 1 2 Taylor, Josh (26 September 2022). "Optus customers exasperated by chatbots and 'rubbish' communication after data breach". The Guardian. ISSN   0261-3077. Archived from the original on 18 May 2023. Retrieved 18 May 2023.
  27. 1 2 Samios, Zoe (10 November 2022). "Optus hack to cost at least $140 million". The Sydney Morning Herald. Archived from the original on 13 November 2022. Retrieved 18 May 2023.
  28. Conifer, Dan; Xiao, Alison; Bogle, Ariel (3 November 2022). "Optus promises to pay cost of replacing foreign passports compromised in data breach". ABC News. Archived from the original on 3 November 2022. Retrieved 20 May 2023.
  29. Crozier, Ry. "Deloitte brought in to examine Optus data breach". iTnews. Archived from the original on 18 May 2023. Retrieved 18 May 2023.
  30. 1 2 Muroi, Millie (8 March 2023). "Optus boss says 'skilled criminal' behind cyberattack, admits telco lost customers". The Sydney Morning Herald. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  31. Swan, David (20 November 2023). "Optus CEO Kelly Bayer Rosmarin resigns". The Sydney Morning Herald. Retrieved 3 January 2024.
  32. Lapham, Jake (6 October 2022). "Sydney teen demanded $2,000 from Optus customers as part of data breach scam, AFP says". ABC News. Archived from the original on 6 October 2022. Retrieved 17 May 2023.
  33. Guelas, Joanna (7 February 2023). "Sydney man avoids jail over scam texts using Optus hack data". www.9news.com.au. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  34. Borys, Stephanie (11 October 2022). "Optus facing new probes over data hack, could be forced to pay millions in compensation". ABC News. Archived from the original on 13 October 2022. Retrieved 17 May 2023.
  35. Jackson, Lewis (21 April 2023). Osterman, Cynthia (ed.). "Australia's Optus hit with class action over cybersecurity breach". Reuters . Archived from the original on 17 May 2023. Retrieved 17 May 2023.
  36. Bonyhady, Nick; Abbott, Lachlan (20 April 2023). "Class action lawsuit launched against Optus after devastating hack". The Sydney Morning Herald. Archived from the original on 20 May 2023. Retrieved 20 May 2023.
  37. 1 2 Baird, Lucas (8 March 2023). "'No victims' of Optus data hack: CEO". Australian Financial Review. Retrieved 4 October 2023.
  38. Tarabay, Jamie (20 September 2023). "Massive Australian Ransomware Attack Has Victims Demanding Answers". Bloomberg.com. Retrieved 4 October 2023.
  39. Taylor, Josh (10 November 2023). "Optus loses court bid to keep report into cause of 2022 cyber-attack secret". The Guardian. ISSN   0261-3077 . Retrieved 7 March 2024.