Class action against Optus after 2022 data breach registers 160,000 members
About 160,000 people whose passport and Medicare numbers were leaked online have registered to join a class action against Optus, as lawyers argue about how the case should proceed.
About 160,000 people whose passport and Medicare numbers were leaked online after Optus was hacked in 2022 have registered to partake in a class action against the telco.
Appearing for class action behemoth Slater & Gordon, barrister William Edwards, KC, told the Federal Court on Wednesday the estimated number of members to join the action, which alleges Optus failed to protect the personal information of 9.8 million of its current and former customers whose personal data was leaked online after a cyber attack.
The court was told Optus and Slater & Gordon were still trying to settle the case by mediation, with a hearing possible if that failed.
In court, the parties argued over how much security Slater & Gordon should give Optus since it insisted on a secretive regime to keep documents exchanged in the case away from the public.
Optus announced a cyberattack breached its systems which exposed personal information of millions of current and former customers, including about 10,000 customers whose details were leaked on the dark web.
Passport numbers, driver licence numbers, identity documents and Medicare card numbers were among the sensitive pieces of information leaked online.
Optus was heavily criticised and its then chief Kelly Bayer Rosmarin quit the telco in the wake of the attack, after initially claiming the company would release the findings of a Deloitte investigation into what happened but reneging on the promise.
Slater & Gordon have now received the report, but it is still suppressed from the public.
A separate action has been filed against the telco by the Australian Communications and Media Authority, alleging a coding error introduced to Optus’ public domain meant it was not “adequately” protected.
According to a redacted amended statement of claim, seen by The Australian, Optus was allegedly aware in August 2021 of vulnerabilities to the domain but not the coding error.
According to ACMA’s pleadings, at no time between September 2018 and September 2020 did Optus identify the coding error.
It said due to the coding error, a cyber attacker was able to obtain the personal information.
“The cyber attack was not a highly sophisticated cyber attack and did not require advanced skills,” the pleading stated.
In its defence, Optus said “the cyber-attacker commenced the cyber-attack with a high degree of knowledge of Optus’ systems”.
“Optus Mobile was the target of a criminal act by the Cyber-attacker that deliberately targeted Optus’ API interface,” the defence document said.
Optus claimed the cyber attacker avoided detection alerts.
ACMA is seeking pecuniary penalties against Optus.