Optus has been hit with an $826,320 penalty after the national communications regulator found serious failings in its identity-verification processes, allowing scammers to take over customers’ mobile numbers and siphon money from their bank accounts.
The Australian Communications and Media Authority (ACMA) said Optus Mobile Pty Ltd, which operates the Coles Mobile brand, breached mandatory anti-scam rules 44 times across September and October 2024. The contraventions allowed criminals to exploit a weakness in a third-party verification system and port out mobile numbers without proper checks.
According to ACMA, at least four customers had their services hijacked through the compromised process. Once in control of the numbers, scammers used them to break into online banking profiles, leading to reported losses of $39,000. The regulator described the harm as preventable and warned that number-takeover attacks continue to rise across the telecoms sector.
ACMA Authority Member Samantha Yorke said the customer impacts can be severe, pointing to the disruption that follows when digital credentials are stolen. She said “there can be severe impacts on Australians from this type of scammer attack, including devastating financial losses and lasting distress from having to recover digital identities.”
Yorke said the size of the company made the failures more concerning. “While this was a one-off issue which was quickly remediated, it is inexcusable for any telco not to have robust customer ID verification systems in place, let alone Australia’s second largest provider,” she said.
She added that scammers actively probe for vulnerabilities and, in this instance, “Optus left a vulnerability which directly exposed people to harm.” The regulator imposed its strongest sanction, noting: “This is the maximum financial penalty the ACMA was able to give in this matter. It reflects the serious nature of the breaches.”
The issue originated in software managed by an external identity-verification provider. The flaw allowed unauthorised porting requests to bypass parts of the required pre-porting checks, a process specifically designed to block SIM-swap and number-takeover fraud.
For risk professionals, the case underscores the extent to which outsourced verification tools can become single points of failure. Under the 2020 industry standard governing pre-porting authorisation, carriers are required to maintain strong identity controls even when external technology partners are involved.
The ACMA has made mobile-number fraud a compliance priority due to the high correlation between compromised phone numbers and subsequent financial theft. Over the past 12 months, telecom businesses have paid more than $1.9 million in penalties for breaches of the same standard.
Although ACMA emphasised that this particular flaw was confined to a short period and was fixed swiftly, Optus is operating under heightened regulatory scrutiny after a string of well-publicised security and system failures in recent years. That history has reduced the regulator’s tolerance for further errors, especially those involving customer identity risk.
The penalty also signals that regulators are now expecting enterprise-grade oversight of third-party providers, particularly where security verification is outsourced. Weak assurance practices or insufficient testing of vendor systems are increasingly treated as material governance failures rather than technical oversights.
For security and risk leaders, the Optus case highlights several emerging themes:
The investigation also reinforces the risks created by the widespread use of mobile numbers as a form of authentication. When those numbers can be ported with inadequate checks, the path from vulnerability to direct financial crime is short.
Authorities continue to advise customers to contact their telco and financial institution immediately if they suspect their number has been compromised, and to report incidents to Scamwatch to help track and disrupt emerging criminal techniques.
