Optus, a leading telecommunications provider in Australia, is facing legal action from the Australian Information Commissioner (AIC) following a significant data breach that occurred in 2022. This cyberattack resulted in the unauthorised access and subsequent leak of the personal information of millions of current, former, and prospective customers on the dark web. The compromised data included sensitive details such as names, dates of birth, phone numbers, and passport numbers.
The AIC claims that from October 17, 2019, to September 20, 2022, Optus failed to adequately protect the personal information of around 9.5 million Australians, which constitutes a serious breach of privacy. Elizabeth Tydd, the AIC, emphasised that organisations are expected to handle personal data within legal frameworks and built on trust. She reinforced the need for the Australian public to have confidence that entities will uphold privacy standards, asserting that the AIC will take action to safeguard these rights when necessary.
As a consequence of these allegations, Optus could face substantial fines. The Federal Court has the authority to impose civil penalties of up to $2.22 million for each breach, putting Optus potentially liable for billions considering the number of affected individuals.
In response to the lawsuit, an Optus spokesperson indicated that the company is currently reviewing the situation and will address the claims made by the AIC in due course. They reiterated their apology to customers and the broader community for the cyberattack, stating that they are committed to protecting customer information and have been actively working to mitigate the impact of the breach. However, the spokesperson noted that due to the ongoing legal proceedings, no further comments would be provided at this time.