Australia’s second fastest internet provider has paid nearly $700,000 in penalties after an ACMA investigation blamed it for inadequate identity verification processes that enabled fraudsters to steal over $412,000 by gaining control of customers’ mobile services and bank accounts.

The investigation, which stems from 73 different cases of mobile number porting between 5 June and 3 July 2024, found that Exetel had repeatedly breached the Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020.

That standard was designed to prevent unauthorised porting of mobile numbers – a tactic criminals use during ‘SIM-swapping’ attacks, in which perpetrators take over a victim’s mobile service so they can receive the one-off codes sent to confirm access or password changes.

Subsection 8(2) of the standard requires ISPs to use “at least one additional identity verification process… to confirm that the person requesting a port is the rights of use holder of the mobile service number to be ported.”

A “deficiency” in Exetel’s mobile transfer portal, however, meant that it failed to complete any such identity verification process while processing 73 such service requests – 68 of which were, authorities later learned, “in the possession of bad actor/s who verified the porting requests.”

In the five other cases, the investigation found, Exetel texted a unique verification code to numbers that were to be ported – only to have “bad actor/s” undertake unspecified actions “so they could proceed with an unverified port.”

In investigations supported by the Australian Cyber Security Centre (ACSC) and Australian Financial Crimes Exchange (AFCE), those cybercriminals proceeded to fleece their victims of over $412,000 – causing what ACMA member Samantha Yorke called “serious financial harm and stress.”

ACMA knows about “significant financial losses suffered by consumers,” she said in announcing the $694,860 fine and two infringement notices, “and we know that this kind of fraud can also lead to misuse of personal information and ongoing emotional harm connected to identity theft.”

Although Exetel quickly moved to fix the problems with its systems once they were identified, Yorke said, “the vulnerabilities should not have existed in the first place and the people impacted should have been protected.”

SIM swapping has become a global scourge

As a key stepping stone to broader account takeover and identity theft, SIM swapping has become a favoured technique of cybercriminals worldwide.

SIM swapping has surged in recent years, with authorities last year reporting a 1,055 per cent increase in SIM swap frauds, such as a recent case in which a 71-year-old businessman had $520,000 (£250,000) taken from his bank account after his phone was taken over by criminals.

Mobile number fraud “has serious impacts on Australians,” ACMA has previously warned as it designated efforts to fight the problem as a key compliance priority for 2025 – threatening “strong enforcement action if we find non-compliance.”

The agency has been actively monitoring telco compliance with mobile porting and other obligations, with the agency also recently fining TAB $4 million and Betfair $871,660 for repeated breaches of spam laws; and warning four telcos for inadequate financial hardship support.

In May, ACMA fined telco Circles Australia $413,160 after a third-party customer service agency failed to verify the identity of 26 customers whose mobile services were abused by scammers that stole at least $45,000 – the telco’s second such penalty, a failure that Yorke called “unacceptable”.

The penalty for Exetel – a subsidiary of Superloop since 2021 that was ranked as Australia’s fastest ISP earlier this year and was pipped by Telstra in the ACCC’s latest Measuring Broadband Australia benchmarking – is the largest issued for contraventions of the mobile porting rules to date.

Cracking down on errant telcos

The major breach of Optus in 2022 – which recently spawned significant civil action – has driven intensifying scrutiny of the sector, which has become a favoured target of cybercriminals because the large critical infrastructure operators hold extensive personal details of millions of customers.

Just last week, ISP iiNet’s order management system was breached, compromising the personal details of 280,000 customers.

Aiming to motivate telcos to prioritise data security and other compliance goals, the federal government this week moved to introduce new legislation that would boost potential penalties for telco code breaches by 40 times – up to $10 million or more, based on the telco’s turnover.

The new Telecommunications Amendment (Enhancing Consumer Safeguards) Bill 2025 will also empower ACMA to immediately act on industry code breaches, with Minister for Communications Anika Wells saying the reforms are “cracking down on telcos who cause harm to customers.”

“This is first and foremost about looking after consumers,” she said, “as well as driving fairness and building trust in the vital telecommunications industry…. These changes will make a real difference.”