The Australian Information Commissioner has launched civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited, alleging the telco seriously interfered with the privacy of around 9.5 million people in the lead-up to its 2022 cyberattack.
The case follows an investigation into the breach Optus disclosed on 22 September 2022, which involved unauthorised access to personal information of current, former and prospective customers and the subsequent release of some of that data on the dark web.
The commissioner alleges that from on or around 17 October 2019 to 20 September 2022, Optus failed to take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, in breach of the Privacy Act 1988. It is also alleged Optus did not adequately manage cyber and information security risk given the nature and volume of data it held, its size and its risk profile.
“The commencement of these proceedings confirms that the OAIC will take the action necessary to uphold the rights of the Australian community,” said Australian Information Commissioner Elizabeth Tydd. She added: “Organisations hold personal information within legal requirements and based upon trust. The Australian community should have confidence that organisations will act accordingly, and if they don’t the OAIC as regulator will act to secure those rights.”
The Office of the Australian Information Commissioner (OAIC) said its probe focused on how Optus managed and secured personal information and whether its steps were reasonable in the circumstances, given the risk of harm to individuals. Data held by Optus included names, dates of birth, home addresses, phone numbers and email addresses, as well as government-related identifiers such as passport and driver’s licence numbers, Medicare details, birth and marriage certificate information, and armed forces, defence force and police identification information.
Under section 13G of the Privacy Act, the Federal Court can impose a civil penalty of up to $2.22 million for each contravention where an entity is found to have engaged in serious or repeated interferences with privacy. The commissioner alleges one contravention for each affected individual. Higher penalties of up to $50 million introduced in December 2022 do not apply, as the alleged conduct predates that change. Whether a civil penalty order is made, and any amount, will be determined by the court.
Australian Privacy Commissioner Carly Kind said, “All organisations holding personal information need to ensure they have strong data governance and security practices. These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit.” She added: “Effective stewardship of individuals’ personal information is critical, and businesses need to be extremely vigilant to the significant threats and risks in today’s cyber landscape.”
The OAIC urged organisations to strengthen oversight of internet-facing domains, ensure only authorised requests can access customer data, use layered security to avoid single points of failure, implement robust monitoring and incident response, properly resource privacy and cyber security (including when using third parties), and to regularly review and improve critical systems.
Optus has been approached for comment.
