Australian telco Optus says a software error during a routine update caused a 12-hour outage that left 40% of the country’s population without internet access.

Optus has blamed a software error for a major internet outage. (Photo by T Schneider/Shutterstock)

The incident last Wednesday saw more than ten million Australians left without connectivity, and is the latest headache for Optus as it continues to deal with the fall-out of last year’s devastating cyberattack, which exposed the data of millions of citizens to hackers.

Optus explains how Australia lost internet connectivity

In a statement released today, Optus’s parent company, Singtel, said “changes to routing information” following a “routine software upgrade” led to the outage.

The changes, which stemmed from “an international peering network” caused a ripple effect, the network said. A spokesperson explained: “These routing information changes propagated through multiple layers in our network and exceeded preset safety levels on key routers which could not handle these.

“This resulted in those routers disconnecting from the Optus IP Core network to protect themselves.”

Optus said reconnecting the routers “in some cases required Optus to reconnect or reboot routers physically, requiring the dispatch of people across a number of sites in Australia,” adding that it had “made changes to the network to address this issue so that it cannot occur again”.

The incident had a big impact on the Australian economy, with payment systems, public transport and health services all limited by the outage.

And though the company offered customers free data as compensation, it could face claims for further compensation from disgruntled clients.

The Australian government said it would be conducting its own investigation into the incident and the resilience of the nation’s digital infrastructure.

Australia’s digital woes continue

Wednesday’s outage came a year after Optus was at the centre of another scandal – a cyberattack that saw data on millions of its customers stolen.

Attackers were said to have infiltrated the Optus system through an API used to test a customer ID system. It is thought that human error left the API externally visible, allowing hackers to gain access to customer records.

The precise number of Optus customers impacted by the breach is unclear, but the company faces a class action lawsuit as well as a probe by the Office of the Australian Information Commissioner.

Last week it was announced that a forensic report into how the Optus attack happened, carried out by Deloitte on behalf of the telco, could be made public as part of the lawsuit. Optus had argued that the contents of the report were privileged information and should be kept secret, but in a Friday ruling Justice Jonathan Beach said some or all of the report may be published as part of the case to help build greater understanding of the breach.

Read more: Has Australia tamed its cybersecurity demons?