The Optus outage shows that non-security defects can disrupt critical services with catastrophic results. True operational resilience requires managing all third-party software risks, not just cyber threats. 

Australia is once again reckoning with the consequences of an Optus outage. Optus, one of the country’s largest telecommunications providers, suffered a disruption lasting over 13 hours that prevented hundreds of triple-0 calls from connecting across multiple states (ABC coverage). Triple-0 is Australia’s equivalent of 911 in the United States, the emergency number used to connect callers with police, fire, or ambulance services. 

Early information indicates the cause was a “technical issue,” not a malicious attack (Reuters). Tragically, the consequences of this non-security outage were profound, offering another unwanted example of how non-security failures can be just as devastating as any cyber incident. In this case, there have been multiple deaths directly connected to this outage. 

In fact, Optus offers a very clear illustration of this contrast is clear looking at two earlier incidents in 2022 and 2023. In 2022, Optus suffered a very public cyber incident, followed in 2023 by an operational (non-security) incident. The contrast is instructive. 

The 2022 cyber incident drew headlines, investigations, and significant fines, but it did not immediately disrupt access to emergency services. The 2023 non-security outage, by comparison, triggered not only penalties and executive accountability but also a heightened regulatory response because it directly interfered with critical services in real time.  

In both cases, the technical origins were not extraordinary, yet the 2023 event proved far more material simply because of the operational context in which it occurred. This latest 2025 outage takes that same dynamic to its most extreme point, where what might appear as “just a technical issue” instead contributed to the loss of life. The lesson is clear: risk cannot be measured solely by the nature of the flaw, but by the environment in which it manifests. 

Organizations cannot afford to treat “technical issues” as routine. Context defines consequence. What appears minor in a sandbox can escalate into catastrophic failure in the field. 

This is precisely why BugZero exists: to help enterprises detect, assess, and address third-party defects before they evolve into outcomes no one can undo. 

Discover more about BugZero and how we help organizations strengthen resilience against third-party software risks. 

FAQ:

What larger issues are highlighted by the recent Optus incident?  The outage shows that the impact of a technical failure cannot be judged solely by its root cause. A non-security flaw, when it touches critical services such as emergency response, can be just as disruptive and damaging as a cyberattack. The broader issue is that resilience planning must account for all sources of disruption, not only those tied to malicious activity. 

How do security and non-security incidents differ?  Security incidents are caused by deliberate, malicious actions such as hacking, ransomware, or data theft. Non-security incidents stem from technical failures, misconfigurations, or supplier flaws without malicious intent. 

How are security and non-security incidents similar?  Both can interrupt critical services, cause financial losses, trigger regulatory penalties, and damage trust. Whether an outage originates from a hacker or a failed update, the consequences for customers and regulators can be equally severe. 

Why are unmanaged non-security risks dangerous?  Non-security risks are often overlooked as routine “technical issues.” When left unmanaged, they can escalate into major operational failures, as seen in the Optus outage, where the consequences extended to emergency response systems. 

What is the cost of treating non-security risks as secondary?  Organizations risk underestimating the true impact of vendor flaws. This creates blind spots in resilience planning, increases exposure to regulatory action, and leaves customers vulnerable to service failures that may be catastrophic.