Two years later: Optus data breach probed

Joseph Brookes
Senior Reporter

Australia’s privacy regulator is formally investigating Optus for an alleged breach of customers’ privacy after the telco published nearly 50,000 customers’ personal information in the White Pages. It follows nearly two years of preliminary inquiries by the watchdog and a class action on behalf of Optus customers.

The data breach occurred in 2019 when Optus published customers’ name, mobile phone numbers and addresses in the White Pages online and in print, despite individuals asking for the details not to be published.

Optus reportedly discovered the breach during a routine audit of 10 million customers then notified those affected and apologised to them. The information was removed online but copies of the physical White Pages were already in circulation.

Maurice Blackburn made a representative complaint to the regulator in April last year and began a class action against the telco alleging it failed in its duties under the Australian Privacy Act.

The case is the first time a class action has used the act to seek compensation for customers, according to the leading legal firm.

Australian Information Commissioner and Privacy Commissioner Angelene Falk

The Office of the Australian Information Commissioner (OAIC) was notified of the data breach shortly after it happened and the telco said it would work with the watchdog on its preliminary inquiries.

On Friday, the OAIC said it was launching an official investigation, nearly two years after the incident occurred.

“This is a complex matter that requires consideration of acts and practices across multiple incidents, spanning a number of years and involving approximately 50,000 individuals,” an OAIC spokesperson told InnovationAus.

“Prior to the commencement of an investigation, the OAIC undertakes preliminary inquiries. In this instance, these inquiries were extensive.”

Optus said it takes the protection of personal information seriously and it will work with the regulator on the investigation.

“We will continue to work collaboratively with the OAIC on this historic matter,” an Optus spokesperson said.

Maurice Blackburn principal lawyer Elizabeth O’Shea said the firm’s complaint is progressing.

“We will carefully monitor the OAIC investigation into Optus and assess how it relates to our representative complaint,” Ms O’Shea told InnovationAus.

The OAIC’s investigation could take years, based on their other probes into data breaches, and its unclear how serious any determination made by Privacy Commissioner Angelene Falk may be.

Some previous data breach determinations have only required undertakings to improve information systems and governance. But earlier this Ms Falk ordered the Department of Home Affairs to pay compensation to nearly 1,300  immigration detention detainees whose personal information was mistakenly posted online in 2014.

“The public disclosure of personal information against the wishes of individuals may have the potential to cause harm,” the OAIC said in a short statement on Friday.

“The OAIC’s investigations can determine whether such matters involve systematic issues that can be prevented by ensuring the right practices are in place. This can set a benchmark for all organisations and build trust in the community.”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories