The Australian Information Commissioner (AIC) has initiated civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited. This legal action follows an investigation into a data breach that Optus publicly disclosed on 22 September 2022.

The breach involved unauthorised access to personal information of millions of Optus customers, with some of this information reportedly released on the dark web. The AIC alleges that from 17 October 2019 to 20 September 2022, Optus seriously interfered with the privacy of approximately 9.5 million Australians.

Optus is accused of failing to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure, in violation of the Privacy Act 1988. The AIC claims that Optus did not adequately manage cybersecurity and information security risks.

An Optus spokesperson said the company would review and consider the matters raised in the proceedings and will respond later.

"Optus apologises again to our customers and the broader community that the 2022 cyber-attack occurred.  We strive every day to protect our customers’ information and have been working hard to minimise any impact the cyber-attack may have had.  We continue to recognise that as the cyber threat environment evolves, the security of our customers and their personal information has never been more important. We will continue to invest in the security of our customers’ information, our systems, and our cyber defence capabilities."

The spokesperson added, "With the matter is now before the Australian courts, Optus will not be commenting further at this time. "

Potential fines

The Federal Court has the authority to impose a civil penalty of up to $2.22 million for each contravention. The Australian Information Commissioner alleges one contravention for each of the 9.5 million individuals affected. However, increased civil penalties of up to $50 million, which came into effect in December 2022, do not apply to this case as the alleged contraventions occurred earlier.

The Office of the Australian Information Commissioner (OAIC) began an investigation into Optus' privacy practices following the data breach. The investigation focused on Optus' management and security of personal information and whether reasonable steps were taken to protect it. The personal information accessed included names, dates of birth, home addresses, phone numbers, email addresses, and government-related identifiers such as passport and driver's licence numbers.

Australian Information Commissioner Elizabeth Tydd stated, "The commencement of these proceedings confirms that the OAIC will take the action necessary to uphold the rights of the Australian community." She further commented, "Organisations hold personal information within legal requirements and based upon trust. The Australian community should have confidence that organisations will act accordingly, and if they don't the OAIC as regulator will act to secure those rights."

Australian Privacy Commissioner Carly Kind remarked on the broader implications of the breach, saying, "The Optus data breach highlights some of the risks associated with external-facing websites and domains, particularly when these interact with internal databases holding personal information, as well as the risks around using third-party providers." Kind emphasised the importance of robust data governance, stating, "All organisations holding personal information need to ensure they have strong data governance and security practices. These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit."

Kind also highlighted the critical nature of data stewardship, noting, "Effective stewardship of individuals' personal information is critical, and businesses need to be extremely vigilant to the significant threats and risks in today's cyber landscape."

The Federal Court will determine whether a civil penalty order is made and the amount.