Optus could face another hefty penalty, as the privacy watchdog sues the telco over the 2022 cyber attack that exposed the data of around 9.5 million Australians.
The Office of the Australian Information Commissioner (OAIC) has filed civil penalty proceedings in the Federal Court, alleging Optus breached privacy laws by failing to properly protect consumers’ data.
The OAIC has alleged that for a nearly three-year period until September 2022, when the breach occurred as the result of a cyber attack, Optus “seriously interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure” under the Privacy Act.
The regulator has claimed Optus failed to manage cybersecurity and information security adequately for an organisation of its size, for the volume of personal information it held and for the company’s “risk profile”.
“The commencement of these proceedings confirms that the [Office of the Australian Information Commissioner] will take the action necessary to uphold the rights of the Australian community,” one of the commissioners, Elizabeth Tydd, said.
“Organisations hold personal information within legal requirements and based upon trust.
“The Australian community should have confidence that organisations will act accordingly, and if they don’t, the OAIC as regulator will act to secure those rights.”
An Optus spokesperson said the company was reviewing the matters raised in the proceedings and will respond to the claims “in due course”.
“Optus apologises again to our customers and the broader community that the 2022 cyber-attack occurred,” the statement to ABC News read.
The telco said it had been “working hard” to minimise the impact of the 2022 incident and “will continue to invest in the security of our customers’ information, our systems, and our cyber defence capabilities”.
The theoretical fine the telco may face could reach into trillions of dollars, as the Federal Court can impose a civil penalty of up to $2.22 million for each contravention under the Privacy Act.
The OAIC said it was alleging one contravention for “each of the 9.5 million individuals whose privacy it alleges Optus seriously interfered with”, but the regulator noted any penalty was a matter for the court to determine.
A body representing communications consumers, ACCAN, welcomed the action by the OAIC and said it sent a “clear message” to the sector, with “trillions at stake for Optus”.
“We have a long way to go to remedy the sorts of practices and behaviours we have seen from Optus over the past few years,” ACCAN chief executive Carol Bennett said.
“Changing that culture won’t be easy and this very significant action from OAIC is yet another wake-up call for action.“
Optus has already faced legal proceedings over the high-profile attack and last year said it intended to defend claims by the Australian Communications and Media Authority (ACMA) that it failed to protect confidential details in its database.
In June, Optus agreed to pay a $100 million penalty after it admitted to inappropriate sales practices and misconduct, following legal proceedings brought by the consumer watchdog in an unrelated matter.
Potential penalties a message to corporate Australia
Jamieson O’Reilly, who is known as an “ethical hacker” and founded a firm companies pay to find IT vulnerabilities, welcomed the court action over one of Australia’s most significant data breaches.
“I do believe these civil proceedings are a net positive to the cyber security of Australian companies.
“Many times, historically, private companies have effectively gotten away with exposing their customer information,” he told ABC News.
Richard Buckland, associate professor in cyber security at the University of New South Wales, said that, until recently, the OAIC had not been involved with large penalties so there had not been a strong message to companies to treat customer data respect.
“It’s a pity the response has taken so long to come but regulators have a duty to get it right, and certainly there were lots of great things Optus did once they realised they had been breached, so they are not villains,” Mr Buckland said.
“The real role of a regulator in society is to improve behaviour and set a high bar for companies to work to. This action by the regulator will be a good step in that direction.
“I expect it will lead boards and company leadership to invest in improving security and improving how they look after data.”
In recent months, the information of 5.7 million Qantas customers was compromised in a cyber attack on the airline’s systems.
Mr O’Reilly, the founder of Dvuln, said civil penalties did act as a deterrent and encouraged companies to take cybersecurity seriously.
“Traditionally, security leaders in organisations struggle to get money from the board to invest in cybersecurity, this allows them to have something to go to the board and say if we don’t invest in cybersecurity, this is what happens.”
Mr O’Reilly said consumers could also help hold companies to account by taking their business elsewhere.
“After the shock and awe of the event, if customers don’t have the time or effort to pursue legal and civil action, or leave the company, that also sends a message to the board that they don’t have to take it [cybersecurity] as seriously”
