iscover
Lauren CroftShare this article on:
Powered by
MOMENTUM
MEDIA
Following the Optus customer data breach, which left potentially millions of customers’ information in the hands of cyber criminals, the OAIC has today commenced an investigation against the telco.
Editor’s note: This story originally appeared on Cyber Security Connect’s sister brand, Lawyers Weekly.
Customers of Australia’s second-largest telco may have had their names, dates of birth, phone numbers and email addresses stolen in the data breach — which was announced on 22 September — as well as licence and passport numbers in some cases.
The data breach, which has been called one of the most serious in Australian history, has already sparked two separate class actions — from Slater & Gordon and Maurice Blackburn, which launched investigations on Monday, 26 September and Wednesday, 28 September, respectively.
On Tuesday, the Office of the Australian Information Commissioner (OAIC) launched its own investigation into the personal information handling practices of Singtel Optus, Optus Mobile and Optus Internet (the Optus companies) in relation to the breach.
The OAIC’s investigation will determine whether Optus took “reasonable steps” to protect customer’s personal information from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business.
The investigation will also consider whether the telco implemented certain practices, procedures and systems to ensure compliance with the Australia Privacy Principles (APPs), including those that would enable Optus to deal with related inquiries or complaints.
The OAIC’s investigation will also be coordinated with a separate investigation by the Australian Communications and Media Authority (ACMA), also announced on Tuesday.
Australian Information and Privacy commissioner Angelene Falk said the coordination of investigations by the OAIC and ACMA was a positive example of regulatory cooperation that would lead to efficient regulatory outcomes.
Additionally, if the OAIC’s investigation results in the commissioner being satisfied that an interference with the privacy of one or more individuals has occurred or serious interferences in contravention of Australian privacy law, then Optus could face penalties of up to $2.2 million per breach in the Federal Court.
While not commenting on the specific investigation, commissioner Falk said the widespread attention given to the Optus data breach had highlighted key privacy issues that corporate Australia should take heed of.
“If they have not done so already, I urge all organisations to review their personal information-handling practices and data breach response plans to ensure that information is held securely, and that in the event of a data breach they can rapidly notify individuals so those affected can take steps to limit the risk of harm from their personal information being accessed,” she said.
“And collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk. Only collect what is reasonably necessary.”
[Related: ACSC flags Microsoft Exchange vulnerabilities]
Be the first to hear the latest developments in the cyber industry.
