Optus has been hit with an $826,320 fine after scammers exploited a flaw in its third-party ID verification systems, leading to fraudulent number porting and $39,000 in customer losses.

The Australian Communications and Media Authority (ACMA) found Optus, through its Coles Mobile brand, breached anti-scam rules 44 times between September and October 2024.

A vulnerability in verification software supplied by Prvidr allowed criminals to bypass mandatory ID checks, seize control of at least four mobile services, intercept SMS authentication codes and drain customers’ bank accounts.

ACMA member Samantha Yorke said the lapse was “inexcusable”, particularly for Australia’s second-largest telco.

“Scammers are always looking for weaknesses. On this occasion Optus left a vulnerability that directly exposed people to harm,” she said. The $826k penalty is the maximum ACMA can impose for such breaches.

Optus apologised, confirming several numbers were “unlawfully ported” due to the software issue.

The penalty adds to a tough period for Optus, which is still dealing with the fallout from its catastrophic Triple Zero outage in September and a recent Federal Court ruling that handed the company a $100 million fine for predatory sales practices targeting vulnerable customers.

Despite the setbacks, Optus reported 169,000 net customer additions and a 27% lift in earnings before interest and tax in its most recent quarterly update.

Optus said the latest flaw was resolved within 24 hours of discovery and that Prvidr has since strengthened its verification and porting controls.

“We accept the ACMA’s action and reaffirm our commitment to strengthening customer protections,” an Optus spokesperson said, adding the telco is working with government, banks and industry partners to reduce identity-theft risk across networks.

The company has launched an independent operational review led by Kerry Schott and is building an enterprise-wide scam-prevention unit to bolster defences.

ACMA says Australian telcos have paid more than $1.9 million in penalties for breaching industry scam standards over the past year.