Australian Regulator Sues Optus Over 2022 Data Breach

In a shocking turn of events, the Australian Information Commissioner (AIC) has launched civil action against telecommunications giant Optus for a data breach that exposed the personal details of 9.5 million Australians in 2022.

The lawsuit alleges that Optus failed to take reasonable steps to protect victims' personal information from unauthorized access and disclosure, in breach of Australia's Privacy Act 1988. Following an investigation, the AIC concluded that Optus' security practices were not commensurate with the nature and volume of personal information held by telecoms provider.

Australian Privacy Commissioner, Carly Kind, expressed concern over the Optus data breach, highlighting some of the risks associated with external-facing websites and domains. "The Optus data breach highlights some of the risks associated with external-facing websites and domains, particularly when these interact with internal databases holding personal information, as well as the risks around using third-party providers," Kind said. She continued, "All organizations holding personal information need to ensure they have strong data governance and security practices. These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit."

The AIC has applied to the Federal Court to impose a civil penalty order against Optus, alleging one contravention of the Privacy Act for each of the 9.5 million victims. The court has the power to impose up to $2.22m for each contravention, meaning Optus could face an enormous financial penalty. In December 2022, the maximum civil penalty that can be imposed was increased to $50m per contravention. However, this will not apply in this case as the alleged contraventions occurred from 17 October 2019 to 20 September 2022.

"Whether a civil penalty order is made, and the amount, are matters before the court," the AIC noted in a release dated August 8. The AIC's decision comes after an investigation into Optus' security practices, which found that they were not sufficient to protect the personal information of its customers.

The Optus Data Breach: A Timeline

In September 2022, Optus disclosed that it had been hit by a cyber-attack, revealing that nearly 10 million current and former customers' data may have been accessed. The data included sensitive personally identifiable information, such as payment details and account passwords.

The attackers reportedly issued Optus a ransom demand to prevent the data from being sold online. However, shortly afterwards, a hacker claiming responsibility for the hack appeared to take down a database containing some of the stolen information on BreachForums, apologizing to the 10,000 Australians whose data had been leaked.

The attackers reportedly exploited a misconfigured API to access the dataset without requiring any authentication. Optus said it was able to prevent the hackers from stealing customers' payment details and account passwords. However, the breach highlighted the importance of robust security measures to protect personal information.

Optus Responds to the AIC's Allegations

Optus has stated that it is reviewing the AIC claims. "Optus apologises again to our customers and the broader community that the 2022 cyber attack occurred. We strive every day to protect our customers' information and have been working hard to minimise any impact the cyber attack may have had," the company said in a statement.

Optus added, "We continue to recognise that as the cyber threat environment evolves, the security of our customers and their personal information has never been more important. We will continue to invest in the security of our customers' information, our systems, and our cyber defence capabilities."

A Call to Action for Organizations Holding Personal Information

The Optus data breach serves as a stark reminder of the importance of strong data governance and security practices. As Australian Privacy Commissioner, Carly Kind, noted, "All organizations holding personal information need to ensure they have strong data governance and security practices. These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit."

The AIC's decision highlights the need for organizations to take proactive steps to protect their customers' personal information. By implementing robust security measures and regular audits, organizations can help prevent data breaches like the one suffered by Optus.