Optus has been fined $826,320 by the Australian Communications and Media Authority (ACMA) after a flaw in its third-party identity verification systems allowed scammers to exploit vulnerabilities, resulting in significant customer losses. The incident, which occurred between September and October 2024, involved fraudulent number porting that led to approximately $39,000 in losses for affected customers.
The ACMA investigation revealed that the telecommunications provider, through its Coles Mobile brand, breached anti-scam regulations 44 times. A vulnerability in the verification software supplied by Prvidr enabled criminals to bypass essential identity checks, gain control of at least four mobile services, intercept SMS authentication codes, and access customers’ bank accounts. ACMA member Samantha Yorke described the lapse as “inexcusable,” especially given Optus’s position as Australia’s second-largest telecommunications company. She stated, “Scammers are always looking for weaknesses. On this occasion, Optus left a vulnerability that directly exposed people to harm.”
The penalty imposed is the maximum that the ACMA can enforce for such breaches. In response, Optus has acknowledged the issue and confirmed that several numbers were “unlawfully ported” due to the verification software flaw. This fine adds to the ongoing challenges faced by Optus, which is still recovering from a significant outage of the Triple Zero emergency service in September and a recent Federal Court ruling that resulted in a $100 million fine for predatory sales practices targeting vulnerable customers.
Despite these setbacks, Optus reported 169,000 net customer additions and a 27% increase in earnings before interest and tax in its most recent quarterly update. The company stated that it resolved the identified flaw within 24 hours of discovery and that Prvidr has since strengthened its verification and porting controls.
An Optus spokesperson emphasized the company’s commitment to enhancing customer protections, stating, “We accept the ACMA’s action and reaffirm our commitment to strengthening customer protections.” The spokesperson added that the telco is collaborating with government entities, banks, and industry partners to mitigate the risks of identity theft across networks.
In light of these incidents, Optus has initiated an independent operational review led by Kerry Schott and is establishing an enterprise-wide scam-prevention unit to bolster its defenses. According to the ACMA, Australian telecommunications companies have collectively paid over $1.9 million in penalties for violating industry scam standards in the past year, highlighting the ongoing challenges faced by the sector in combating fraud.
