Optus Penalised Over Breaches of Australia’s Anti-Scam Rules

Key Takeaways

• Optus Penalty: Optus paid about $537,000 (AUD $826,320) after ACMA found 44 breaches of anti-scam rules tied to mobile number transfers.
• Verification Gap: A flaw in a third-party ID check system let scammers bypass parts of the process and take control of customers’ mobile services.
• Impact on Victims: Four consumers had their numbers hijacked and bank accounts accessed, leading to about $25,400 (AUD $39,000) in reported losses.
• Regulator Stance: ACMA called the lapse “inexcusable,” noting Optus’s size and the direct harm caused, even though the issue was quickly fixed.
• Broader Trend: Penalties for similar identity-verification breaches have topped about $1.23 million (AUD $1.9 million) in the past year.

Deep Dive

Optus Mobile has paid a penalty of about $537,000 (AUD $826,320) after Australia’s communications regulator found the company failed to follow required anti-scam rules, leaving several customers vulnerable to financial losses and identity theft.

The Australian Communications and Media Authority (ACMA) said its investigation identified 44 breaches in September and October 2024, when Optus was operating under the Coles Mobile brand. The lapses stemmed from a weakness in a third-party identity verification system that scammers were able to exploit.

According to ACMA, the vulnerability allowed scammers to bypass parts of the mandatory ID-checking process, take control of at least four consumers’ mobile numbers, and access their bank accounts. Those incidents resulted in reported losses of about $25,400 (AUD $39,000).

ACMA Authority Member Samantha Yorke said the breach had a direct and harmful impact on the people whose accounts were compromised, noting both the financial fallout and the ordeal of recovering stolen digital identities.

“While this was a one-off issue which was quickly remediated, it is inexcusable for any telco not to have robust customer ID verification systems in place, let alone Australia’s second largest provider,” Yorke said. She added that scammers routinely look for weaknesses, and in this case, the gap in verification “directly exposed people to harm.”

Yorke also noted that the penalty issued to Optus was the maximum allowed under the applicable rules.

Mobile number fraud remains one of ACMA’s current compliance priorities. Under the Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020, providers must verify a customer’s identity before transferring a number to a new service.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.