
Australian regulator takes Optus to court over data breach
One contravention alleged for each of over nine million people said to have been impacted.
Optus entities Singtel Optus Pty Limited and Optus Systems Pty Limited could face as much as AU$2.22m in penalties for each of the 9.5 million individuals that the Australian Information Commissioner (AIC) believes were impacted by a cyberattack that targeted Optus nearly three years ago.
Filing civil penalty proceedings in the Federal Court, the AIC is alleging that Optus "seriously interfered" with the privacy of approximately 9.5 million Australians from around 17 October 2019 to 20 September 2022.
The regulator said Optus failed to take reasonable steps to protect customers' personal information from misuse, interference, and loss, as well as from unauthorised access, modification, or disclosure, supposedly violating the Privacy Act whilst also failing to adequately manage cybersecurity and information security risk in a commensurate manner.
According to the AIC, the affected information spanned not only existing but also past and even prospective Optus customers. The data included names, dates of birth, home addresses, phone numbers, email addresses, and government-related identifiers like passport numbers.
Explaining the possible penalties, the watchdog noted: "The Federal Court can impose a civil penalty of up to AU$2.22m for each contravention. The Australian Information Commissioner alleges one contravention for each of the 9.5 million individuals whose privacy it alleges Optus seriously interfered with.
"Increased civil penalties of up to AU$50m came into effect in December 2022, although they do not apply to this case, as the alleged contraventions occurred from 17 October 2019 to 20 September 2022. Whether a civil penalty order is made, and the amount, are matters before the Court."
In response to the development, Optus expressed its view as to how a penalty decision, if any, might be reached.
Optus stated: "If a contravention is found, the Court will consider a number of factors and apply a penalty amount it determines overall as appropriate based on the events that occurred. It is not necessarily a direct calculation based on the number of contraventions."
For AIC Elizabeth Tydd, her camp's move is about upholding the rights of the Australian community.
"Organisations hold personal information within legal requirements and based upon trust," Tydd commented. "The Australian community should have confidence that organisations will act accordingly, and if they don't, the OAIC (Office of the Australian Information Commissioner) as regulator will act to secure those rights."
Australian Privacy Commissioner Carly Kind added that businesses must be "extremely vigilant" given the significant risks in the current cyber landscape.
In 2023, law firm Slater and Gordon filed a class action against Optus over the same data breach incident.