Its 2023 one-day outage may have cut mobile and fixed services to over 10 million people, but Optus received just 1,154 complaints and paid only $481,038 in cash compensation, new figures have revealed, as the company simultaneously fights regulators over its 2022 data breach.

The outage – which precipitated the resignation of CEO Kelly Bayer Rosmarin a year after she claimed Optus was breached by “sophisticated criminals” – exacerbated the troubles of a company already facing breach-related lawsuits from regulators and private class actions.

Some 1,049 individual consumers received $38,228 in cash compensation – an average of $36 each – while 15 small and medium business (SMB) customers received an average $559.60 cash each and an additional 75 “unmatched” customers received $5,792 each.

Fifteen enterprise customers of Optus received an average $18,798 each in service credits, while consumers received an average $437 and SMBs around $310 in service credits each.

The figures – which were provided in response to a Question on Notice taken after Optus told a Senate inquiry that it paid cash compensation on top of its initial offer of 200GB of extra data – suggest the company got off lightly given its base of over 11 million customers.

Industry overseer the Telecommunications Industry Ombudsman (TIO) can direct companies to pay affected customers up to $100,000 in compensation for financial losses from outages, and up to $100,000 for complaints about privacy rights, as in the Optus data breach.

The Senate inquiry’s final report into the outage, which was handed down in September, argued that Optus’s “manifestly inadequate” processes exacerbated its effects, arguing that it should be forced to pay customers fair compensation after such incidents.

It was a bitter pill for the telco that is struggling to recast its image after being named Australia’s least trusted company for the past three financial quarters, with recently poached former NBN CEO Stephen Rue set to take over at Optus next month.

Sophisticated breach or careless oversight?

When he joins the executive suite nearly a year to the day after the outage, Rue will wade into the heated debate about whether, in light of the outage and earlier data breach, Optus has made a prima facie case for telcos to be regulated as critical infrastructure providers.

For a government increasingly focused on the security critical infrastructure – in the telecoms space and many other industry sectors – the joint Optus debacles substantiate the need for stricter oversight such as through the Telecommunications Sector Security Reforms (TSSR) introduced in 2018.

Much of the recent debate between Optus and ACMA, centres around Bayer Rosmarin’s claim that the company was breached by “sophisticated” cyber criminals – a word that is inevitably trundled out by victims but seen as overused by many in the industry.

Despite Optus’s claim the attack required “a high degree of knowledge of Optus’s systems,” ACMA argued in a June court filing that the attack was “not highly sophisticated or one that required advanced skills”.

Rather, ACMA said, the attackers succeeded “through a simple process of trial and error” by manipulating a disused application programming interface (API), which was left exposed due to a “coding error” in the API access controls that was not fixed until after the breach.

The target domain “was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it,” ACMA alleged, arguing that the September 2022 attack “was not highly sophisticated”.

Optus refuted the claims as its Federal Court battle with ACMA recently restarted, with the Australian Financial Review reporting that the court has ordered copies of expert reports into the breach that were ordered from Deloitte and Mandiant but have been suppressed.

Penalties for the breach could theoretically reach $250,000 for each of at least 3.6 million occasions – suggesting that while Optus may have escaped significant direct compensation for the outage, the company remains extremely exposed to future regulatory sanctions.

“The review clearly highlighted the need for a structured approach to managing telecommunications outages,” telco industry analyst Paul Budde recently wrote, “focusing on testing, resilience, and effective communication.”

By addressing the recommendations of the inquiry, he said, “Australia can better prepare for future outages, minimise their impact, and maintain the integrity of essential services…. ultimately safeguarding the public and the economy from similar incidents in the future.”