cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Optus denies claims of ‘cloaking’ Deloitte cyber attack report findings

Optus has denied claims it attempted to “cloak” details of its 2022 cyber attack from the courts after it pushed to keep a report on the incident outside of court proceedings.

user icon Daniel Croft
Wed, 15 May 2024
Optus denies claims of ‘cloaking’ Deloitte cyber attack report findings
expand image

Last year, during a class action filed by Slater & Gordon in the Federal Court, the telco said it would not be making a Deloitte report on the cyber attack public or available to requesting parties, saying the details are confidential and claiming legal professional privilege over the document.

Legal professional privilege is a common law that refers to the protection of confidential information between a legal professional and a client “made for the dominant purpose of the lawyer providing legal advice or professional legal services to the client, or for use in current or anticipated litigation”, according to the NSW Information and Privacy Commission.

Optus announced the commission of the report on 3 October 2022, saying that it would “help ensure we understand how it occurred and how we can prevent it from occurring again”.


“It will help inform the response to the incident for Optus,” it added, saying it may also assist others in the sector. Optus also said the report was recommended by its now-former chief executive, Kelly Bayer Rosmarin, and fully supported by the Singtel board.

The telco’s claim of legal professional privilege was rejected by Federal Court judge, Justice Jonathan Beach, who said the Slater & Gordon class action should include the report.

Justice Beach ruled against the claim in November, saying that the telco had “not made good their claim of privilege” in its review and that it was a “real problem” for the telco that the statement did not explicitly state that the report was for legal purposes or recommended by a lawyer, which is what Optus general counsel Nicholas Kusalic was allegedly trying to get across.

As reported by The Australian Financial Review, Optus sought to appeal the ruling in the Federal Court on Tuesday (14 May), with its lawyer Steven Finch SC saying that Justice Beach’s earlier ruling was incorrect, stating that while the press release did not “expressly state” that the report was commissioned to obtain legal advice, it was the report’s main purpose.

Finch added that the statement was designed for media consumption and to “calm everybody down” rather than be a “diary record of what purpose lay behind [the report]”.

He also said the press release would not be expected to include “an abject confession that we are rushing off to see lawyers” or any wording that would encourage class action suits, adding that there was no evidence of who drafted the release.

Justice Beach had a number of reasons for his prior ruling. On top of the non-specific reasoning for the report, no evidence that Deloitte’s investigation was being done with the support of Ashurst, Optus’ legal adviser at the time, which was retained by the telco on 21 September 2022 to provide legal advice to the company. It was retained again on 21 October 2022.

“Endeavours to cloak the Deloitte review with legal professional privilege were more to the fore in late October 2022 than they were at the start of the month,” Justice Beach said in his ruling.

Finch responded to the ruling, saying that classifying Optus’ behaviour as “cloaking” was an attack that undermined Kusalic as a lawyer.

The appeal is a big deal for Optus, which, if lost, and Slater & Gordon gets its hands on the report, certain key details could become public in legal proceedings. The report itself will not become public.

At this time, the court reserved its judgment on the proceedings.

On top of its legal proceedings and the aforementioned cyber attack, Optus has faced a wave of issues.

Last year, the telco suffered an outage that prevented thousands of Australians from contacting emergency services.

Initially reporting that only 228 people were unable to contact emergency services and that welfare checks were performed on those people, Optus’ interim chief executive Michael Venter said the number of calls unable to connect was actually 2,697, eleven times the originally reported number.

It was also revealed that for the additional 2,468 calls, not a single welfare check was performed.

“As part of our commitment to learn from the Optus outage on 8 November 2023, we undertook a review of our processes for calls that were unable to connect to the Triple Zero service,” the telco wrote in an update to its blog.

“That review has now shown that there were an additional 2,468 customers that made Triple Zero calls from our network that did not reach the Emergency Service Centre and for which a welfare check was not undertaken.”

Prior to the number being revealed, the CEO at the time, Bayer Rosmarin, resigned from the position after being pressured with questioning in the Senate.

Stephen Rue, now former CEO of NBN Co, will take up the position in November. He left NBN Co earlier this month.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.