Trillions at Stake: Optus Sued for Alleged Data Failures
Australia's privacy watchdog has taken legal action against telecommunications giant Optus, alleging the company failed to adequately protect customer data in the lead-up to a massive cyber attack that exposed the personal information of 9.5 million Australians.
The Office of the Australian Information Commissioner (OAIC) is seeking a civil penalty of up to $2.22 billion for each contravention under the Privacy Act, with the potential fine reaching into trillions of dollars if Optus is found guilty. This is despite the OAIC noting that any penalty will be determined by the Federal Court.
The OAIC alleges that Optus seriously interfered with the privacy of 9.5 million Australians over a nearly three-year period before the breach occurred in September 2022. The regulator claims the company failed to take reasonable steps to protect personal information from misuse, interference, and loss.
Optus has responded by stating it is reviewing the findings and will respond to the claims "in due course." The telco apologizes again to its customers and the broader community for the 2022 cyber attack and says it has been working hard to minimize the impact of the incident. Optus also stated that it will continue to invest in the security of customer information, systems, and cyber defense capabilities.
A Clear Message to Corporate Australia
The OAIC's actions have sent a clear message to corporate Australia: protect your customers' data or face fines. The regulator has long been vocal about the need for companies to prioritize cybersecurity and data protection.
"Organisations hold personal information within legal requirements and based upon trust," said Elizabeth Tydd, one of the OAIC commissioners. "The Australian community should have confidence that organisations will act accordingly, and if they don't, the OAIC as regulator will act to secure those rights."
Experts Welcome the Action
Industry experts have welcomed the OAIC's action, saying it sends a strong message about the importance of data protection. "I do believe these civil proceedings are a net positive to the cyber security of Australian companies," said Jamieson O'Reilly, an ethical hacker and founder of Dvuln.
"Many times, historically, private companies have effectively gotten away with exposing their customer information," O'Reilly added. "Civil penalties do act as a deterrent and encourage companies to take cybersecurity seriously."
A Call to Action for Consumers
Richard Buckland, associate professor in cyber security at the University of New South Wales, noted that consumers also have a role to play in holding companies accountable.
"After the shock and awe of the event, if customers don't have the time or effort to pursue legal and civil action, or leave the company, that also sends a message to the board that they don't have to take it [cybersecurity] as seriously," Buckland said.
A Previous Fine for Optus
Optus has already faced significant financial penalties for its role in the 2022 cyber attack. Last year, the company agreed to pay a $100 million penalty after admitting to inappropriate sales practices and misconduct.
The Impact on Corporate Australia
The OAIC's actions have significant implications for corporate Australia. The regulator is sending a clear message that companies must prioritize data protection and cybersecurity if they want to avoid severe penalties.
"The real role of a regulator in society is to improve behaviour and set a high bar for companies to work to," Buckland said. "This action by the regulator will be a good step in that direction."