Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The Office of the Australian Information Commissioner has opened civil proceedings against the telco, Optus, to “uphold the rights of the Australian community”.
The Office of the Australian Information Commissioner (OAIC) has taken civil penalty action in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited, claiming that Optus failed to properly protect the personal information of its customers in relation to the headline-making 2022 data breach.
The OAIC alleges that in the period from around 17 October 2019 to 20 September 2022, Optus “seriously interfered with the privacy of approximately 9.5 million Australians”.
The OAIC believes that Optus failed to manage its cyber risk, especially given the scope and nature of the data it held.
“The commencement of these proceedings confirms that the OAIC will take the action necessary to uphold the rights of the Australian community,” Australian information commissioner Elizabeth Tydd said in an 8 August statement.
“Organisations hold personal information within legal requirements and based upon trust. The Australian community should have confidence that organisations will act accordingly, and if they don’t, the OAIC as regulator will act to secure those rights.”
The Optus data breach occurred in September 2022 and saw a trove of customer data compromised, including passport and driver’s licence details, Medicare numbers, and birth certificates.
“The Optus data breach highlights some of the risks associated with external-facing websites and domains, particularly when these interact with internal databases holding personal information, as well as the risks around using third-party providers,” Australian privacy commissioner Carly Kind said.
“All organisations holding personal information need to ensure they have strong data governance and security practices. These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit.”
“Effective stewardship of individuals’ personal information is critical, and businesses need to be extremely vigilant to the significant threats and risks in today’s cyber landscape.”
The OAIC will allege that Optus’ inaction was in contravention of section 13G of the Privacy Act for each of the 9.5 million individuals impacted by the data breach. The Federal Court can impose a penalty of up to $2.22 million for each contravention, and while the court is unlikely to do so, this could lead to a maximum penalty of $21 trillion.
Optus has responded to the OAIC’s move and has said it is reviewing the matter.
“Optus apologises again to our customers and the broader community that the 2022 cyber attack occurred. We strive every day to protect our customers’ information and have been working hard to minimise any impact the cyber attack may have had,” Optus said in a statement.
“We continue to recognise that as the cyber threat environment evolves, the security of our customers and their personal information has never been more important. We will continue to invest in the security of our customers’ information, our systems, and our cyber defence capabilities.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
