The Australian Information Commissioner (AIC) has initiated civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited, collectively known as Optus. The move follows an investigation triggered by the data breach the company disclosed on 22 September 2022.
This significant breach involved unauthorised access to the personal information of approximately 9.5 million current, former, and prospective customers. Disturbingly, some of this sensitive information has since been released on the dark web. The AIC asserts that between 17 October 2019 and 20 September 2022, Optus endangered the privacy of these Australians by failing to adequately safeguard their personal information against misuse, interference, loss, and unauthorised access, thus breaching the Privacy Act 1988.
The regulator alleges that Optus did not sufficiently manage cybersecurity risks in accordance with the scale of the personal information it held, as well as the overall size and risk profile of the business. Australian Information Commissioner Elizabeth Tydd commented, “The commencement of these proceedings confirms that the OAIC will take the action necessary to uphold the rights of the Australian community.” She emphasised that organisations are entrusted with personal information and must adhere to legal requirements, adding that the OAIC will intervene when necessary to protect community rights.
Carly Kind, the Australian Privacy Commissioner, highlighted the lessons to be learned from the breach. She noted that it underscores the inherent risks of external-facing websites that interface with internal databases, as well as the potential vulnerabilities involving third-party providers. “All organisations holding personal information need to ensure they have strong data governance and security practices,” she stated.
The AIC is pursuing this case in the Federal Court, which has the authority to impose civil penalties of up to $2.22 million for each contravention of the Privacy Act. Given the number of individuals impacted, the implications of the proceedings could be substantial. Although higher penalties of up to $50 million were introduced in December 2022, they do not apply to this case due to the timing of the alleged breaches.
The investigation into Optus’ practices focused on the adequacy of their management of personal information and their efforts to protect it from misuse and unauthorised disclosure. The AIC alleges that Optus inadequately addressed the potential risks associated with the personal information it stored, given both its size and the nature of the data held.
In light of the incident, the OAIC has urged organisations to implement proactive measures, including clear ownership of internet-facing domains, authorisation processes for accessing customer information, layered security controls, and robust security monitoring protocols. Regular reviews of practices and thorough risk assessments have also been recommended to enhance overall data protection.
