Optus sued by Australias OAIC privacy watchdog over massive data breach due to 2022 cyberattack

pWere sorry this feature is currently unavailable Were working to restore it Please try again laterppAdd articles to your saved list and come back to them any timeppOptus is facing a potential mammoth fine after Australias privacy watchdog launched civil Federal Court proceedings over a September 2022 cyberattack in which the personal information of nearly 10 million Australians was stolenppDuring the cyberattack which was one of the worst in the nations history hackers gained unauthorised access to the personal information of millions of current former and prospective Optus customers some of which was then leaked to the dark webppFormer Optus chief executive Kelly Bayer Rosmarin was grilled about the network outage at a Senate hearing in November 2023Credit Alex EllinghausenppAbout 40 per cent of the population are Optus customers and many couldnt use their phone or internet services on the day of the breach when hackers demanded a 15 million ransom to stop the data from being sold online A few hours later the thieves deleted the ransom notice and apologisedppAustralias Information Commissioner is alleging Optus failed to take reasonable steps to protect the personal information it held in alleged mass breaches of the Privacy Act In some cases the data included passport numbers drivers licence numbers Medicare card numbers birth certificate and marriage certificate informationppThe Federal Court can impose a penalty of up to 222 million for each contravention of the Privacy Act and the commissioner is alleging one contravention for each of the 9½ million individuals That maximum penalty would theoretically amount to some 209 trillion although a penalty of that amount is not possible as it would be many times the size of Australias economy The watchdog did not specify the maximum penalty it is seekingppThe Optus data breach highlights some of the risks associated with externalfacing websites and domains particularly when these interact with internal databases holding personal information as well as the risks around using thirdparty providers Privacy Commissioner Carly Kind said in a statementppAn Optus spokeswoman said the company would respond to the claims in due courseppOptus apologises again to our customers and the broader community that the 2022 cyberattack occurred she saidppWe strive every day to protect our customers information and have been working hard to minimise any impact the cyberattack may have had As the matter is now before the Australian courts Optus will not be commenting further at this timeppOptus is already facing Federal Court claims by Australias communications watchdog the Australian Communications and Media Authority over the cyberattack The watchdog claims Optus should have known it had a flaw in its system four years before its customers data was stolen in 2022ppPrivacy Commissioner Carly KindCredit Edwina PicklesppThe cyberattack kicked off a hellish period for Australias secondlargest telco which suffered a separate 12hour outage about a year later Optus lost thousands of customers as a result of the outage and CEO Kelly Bayer Rosmarin and other top executives resigned soon after Bayer Rosmarin was later replaced by former NBN Co chief Stephen RueppThe Optus breach also led to tougher penalties for serious or repeated breaches of customer data organisations that fail to adequately protect peoples data now face fines of 50 million or moreppThe peak communications consumer body ACCAN said it was hopeful the court action would drive cultural change in the telco sectorppIn June Optus agreed to pay 100 million in penalties over unconscionable conduct related to selling vulnerable customers products they could not afford or useppOptus customers were hit by a major outage after the cyberattackppThis court action demonstrates how far short Optus fell from what consumers expect and deserve from their telcos ACCAN chief executive Carol Bennett saidppWe have a long way to go to remedy the sorts of practices and behaviours we have seen from Optus over the past few years It paints a picture of a telco that has lost sight of its obligation to consumers in delivering an essential service that consumers need and rely uponppChanging that culture wont be easy and this very significant action from the Information Commissioners office is yet another wakeup call It seems Optus have been asleep at the wheel when it comes to accepting their moral and ethical responsibility to AustraliansppTom Sulston the head of policy of lobby group Digital Rights Watch also welcomed the action and said businesses should be minimising the amount of personal information they store and the period for which they hold itppHe also described the move as a further case for privacy reformppAs a rule companies do tend to hang on to more information than they need and for longer than they need it Some of that is due to regulation such as metadata retention but plenty is down to companies desire to find ways to monetise our information he saidppA few years ago all the industry talk was about data being the new oil Were finding out that data is more like the new asbestos useful needs to be handled with care and very harmful if released to the publicppThe Business Briefing newsletter delivers major stories exclusive coverage and expert opinion Sign up to get it every weekday morningppCopyright 2025p