This was published 4 months ago
Privacy watchdog sues Optus over mass data breach
By David Swan
Optus is facing a potential mammoth fine after Australia’s privacy watchdog launched civil Federal Court proceedings over a September 2022 cyberattack in which the personal information of nearly 10 million Australians was stolen.
During the cyberattack, which was one of the worst in the nation’s history, hackers gained unauthorised access to the personal information of millions of current, former and prospective Optus customers, some of which was then leaked to the dark web.
Former Optus chief executive Kelly Bayer Rosmarin was grilled about the network outage at a Senate hearing in November 2023.Credit: Alex Ellinghausen
About 40 per cent of the population are Optus customers and many couldn’t use their phone or internet services on the day of the breach, when hackers demanded a $1.5 million ransom to stop the data from being sold online. A few hours later the thieves deleted the ransom notice and apologised.
Australia’s Information Commissioner is alleging Optus failed to take reasonable steps to protect the personal information it held, in alleged mass breaches of the Privacy Act. In some cases, the data included passport numbers, driver’s licence numbers, Medicare card numbers, birth certificate and marriage certificate information.
The Federal Court can impose a penalty of up to $2.22 million for each contravention of the Privacy Act, and the commissioner is alleging one contravention for each of the 9½ million individuals. That maximum penalty would theoretically amount to some $20.9 trillion, although a penalty of that amount is not possible as it would be many times the size of Australia’s economy. The watchdog did not specify the maximum penalty it is seeking.
“The Optus data breach highlights some of the risks associated with external-facing websites and domains, particularly when these interact with internal databases holding personal information, as well as the risks around using third-party providers,” Privacy Commissioner Carly Kind said in a statement.
An Optus spokeswoman said the company would respond to the claims “in due course”.
“Optus apologises again to our customers and the broader community that the 2022 cyberattack occurred,” she said.
“We strive every day to protect our customers’ information and have been working hard to minimise any impact the cyberattack may have had. As the matter is now before the Australian courts, Optus will not be commenting further at this time.”
Optus is already facing Federal Court claims by Australia’s communications watchdog, the Australian Communications and Media Authority, over the cyberattack. The watchdog claims Optus should have known it had a flaw in its system four years before its customers’ data was stolen in 2022.
Privacy Commissioner Carly Kind.Credit: Edwina Pickles
The cyberattack kicked off a hellish period for Australia’s second-largest telco, which suffered a separate 12-hour outage about a year later. Optus lost thousands of customers as a result of the outage and CEO Kelly Bayer Rosmarin and other top executives resigned soon after. Bayer Rosmarin was later replaced by former NBN Co chief Stephen Rue.
The Optus breach also led to tougher penalties for serious or repeated breaches of customer data; organisations that fail to adequately protect people’s data now face fines of $50 million or more.
The peak communications consumer body, ACCAN, said it was hopeful the court action would drive cultural change in the telco sector.
In June, Optus agreed to pay $100 million in penalties over “unconscionable conduct” related to selling vulnerable customers products they could not afford or use.
Optus’ customers were hit by a major outage after the cyberattack.
“This court action demonstrates how far short Optus fell from what consumers expect and deserve from their telcos,” ACCAN chief executive Carol Bennett said.
“We have a long way to go to remedy the sorts of practices and behaviours we have seen from Optus over the past few years. It paints a picture of a telco that has lost sight of its obligation to consumers in delivering an essential service that consumers need and rely upon.
“Changing that culture won’t be easy and this very significant action from [the Information Commissioner’s office] is yet another wake-up call … It seems Optus have been asleep at the wheel when it comes to accepting their moral and ethical responsibility to Australians.”
Tom Sulston, the head of policy of lobby group Digital Rights Watch, also welcomed the action and said businesses should be minimising the amount of personal information they store, and the period for which they hold it.
He also described the move as a further case for privacy reform.
“As a rule, companies do tend to hang on to more information than they need and for longer than they need it. Some of that is due to regulation – such as metadata retention – but plenty is down to companies’ desire to find ways to monetise our information,” he said.
“A few years ago, all the industry talk was about data being the new oil. We’re finding out that data is more like the new asbestos: useful, needs to be handled with care, and very harmful if released to the public.”
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.