The Australian Information Commissioner has initiated Federal Court proceedings against Optus, a major telecommunications company, over a significant cyberattack that occurred in September 2022. The lawsuit alleges that Optus failed to take reasonable measures to protect the personal information of approximately 9.5 million Australians, a situation that constitutes a mass breach of the Privacy Act. The stolen data included highly sensitive information such as passport numbers, driver’s license numbers, and Medicare card numbers. This cyberattack was a watershed moment in Australian cybersecurity, prompting a national conversation about corporate responsibility and data security. The commissioner’s legal action aims to hold Optus accountable for what it deems a failure to adequately safeguard customer data.
The 2022 cyberattack was one of the largest in Australia’s history, with hackers gaining unauthorized access to the personal data of current, former, and prospective Optus customers. The breach impacted about 40% of the Australian population, many of whom were unable to use their phone and internet services on the day of the attack. Following the breach, some of the stolen information was leaked to the dark web. The attackers initially demanded a $1.5 million ransom but later withdrew their demand and apologized. This incident highlighted the vulnerabilities of large-scale data storage and the critical need for robust cybersecurity protocols, especially for companies that hold vast amounts of personal information.
The potential financial penalties for Optus are significant. The Federal Court can impose a fine of up to $2.22 million for each contravention of the Privacy Act. Since the commissioner is alleging a separate contravention for each of the 9.5 million affected individuals, the theoretical maximum penalty could reach an astronomical sum. However, a fine of this magnitude is not practical as it would far exceed the size of the Australian economy. While the exact penalty being sought has not been specified, the legal action signals a strong stance from the privacy watchdog on the seriousness of data security negligence and the need for corporations to prioritize customer protection.
This legal challenge is not the first for Optus in the aftermath of the cyberattack. The company is also facing a separate Federal Court claim from the Australian Communications and Media Authority (ACMA), which alleges that Optus should have been aware of a flaw in its system for years prior to the breach. The cyberattack and a subsequent 12-hour network outage a year later contributed to a challenging period for the company, resulting in the resignation of CEO Kelly Bayer Rosmarin and other top executives. These events have not only been costly for Optus in terms of customer loss and reputation but have also catalyzed legislative changes, leading to tougher penalties for serious data breaches in Australia.
In a statement, an Optus spokeswoman apologized to customers and the broader community, asserting that the company is striving to protect customer information and minimize the impact of the cyberattack. Optus has stated it will respond to the claims “in due course” but will not comment further while the matter is before the courts. The company has already faced other legal issues, including a $100 million penalty for “unconscionable conduct” related to selling unsuitable products to vulnerable customers. The ongoing legal battles underscore the heightened scrutiny and regulatory pressure on Optus to improve its practices in data security and customer care.
Reference:
