Australia’s privacy regulator is taking Optus to court over the telco’s 2022 data breach, alleging the company “seriously interfered” with the privacy of around 9.5 million Australians.
The Office of the Australian Information Commissioner on Friday said it has filed civil penalty proceedings in the Federal Court against Optus following an almost two-year investigation into the breach.
The Federal Court will be able to apply a $2.2 million fine for each proven breach of the Privacy Act. The breach occurred just before the government radically increased the penalties to $50 million.
The data breach, which occurred as a result of an unprotected and publicly exposed API, was one of the most serious privacy breaches in recent years, with the details of more than 10,000 customers published on the dark web.
Optus disclosed the data breach in September 2022, initially describing it as the result of a “sophisticated” cyber-attack by a criminal organisation or state-based actor.
More than 9 million current and former customers had basic information, such as names and phone numbers, disclosed, with at least 2.1 million of those also having identity documents like driver’s licences and Medicare cards stolen.
At least 2.1 million current and former customers had identity documents compromised, leading the government to create a new register to block fraudulent attempts to use stolen identity credentials.
The OAIC is alleging that in the three years leading up to the breach, Optus “seriously interfered” with the privacy of around 9.5 million Australians because it failed to take reasonable steps to protect its data from misuse and unauthorised access or disclosure.
Australian Privacy Principle 11.1 requires companies to take steps that are reasonable in the circumstances to protect the information that it holds from unauthorised access or misuse.
“The commencement of these proceedings confirms that the OAIC will take the action necessary to uphold the rights of the Australian community,” said Australian Information Commissioner Elizabeth Tydd.
“Organisations hold personal information within legal requirements and based upon trust. The Australian community should have confidence that organisations will act accordingly, and if they don’t the OAIC as regulator will act to secure those rights.”
A spokesperson for Optus said the company will “review and consider the matters raised in the proceedings and will respond to the claims made by the Australian Information Commissioner in due course”.
“We continue to recognise that as the cyber threat environment evolves, the security of our customers and their personal information has never been more important. We will continue to invest in the security of our customers’ information, our systems, and our cyber defence capabilities,” the spokesperson said.
Privacy Commissioner Carly Kind said the breach was a reminder that businesses holding personal data to ensure they have strong enough data governance and security practices to “guard against vulnerabilities that threat actors will be ready to exploit”.
“The Optus data breach highlights some of the risks associated with external-facing websites and domains, particularly when these interact with internal databases holding personal information, as well as the risks around using third-party providers,” she said.
The OAIC opened its investigation into Optus’s personal information handling practices in October 2022 to understand whether it took reasonable steps to protect the personal information it held from misuse and unauthorised access or disclosure.
Last year, the regulator also brought legal action against Medibank for its 2022 data breach, which impacted a similar number of people. The matter remains before the courts.
Do you know more? Contact James Riley via Email.