Australia’s lead data privacy regulator is suing telecommunications giant Optus over the massive 2022 data breach that caused chaos for over a third of the national population, for an as-yet undisclosed sum. At the time the breach was the biggest in Australian history, but was surpassed in record count by breaches of Latitude Financial in 2023 and MediSecure in 2024.
The telecoms provider, which is the second-largest in terms of mobile customers in the Australian market, is accused by the Australian Information Commissioner (AIC) of violations of the Privacy Act 1988. The AIC is seeking one count of a data breach for each of the estimated 9.5 million customers impacted, which could carry a maximum penalty of $2.2 million AUD per person. The actual penalty amount could vary pending a court decision.
Privacy regulator brings second suit against Optus over 2022 breach
This will be the second lawsuit Optus will face from an Australian government agency with regards to the 2022 data breach. The first was brought by the Australian Communications and Media Authority (ACMA) in 2024, alleging that Optus failed to protect the personally identifiable information of its customers from unauthorized access. That case was filed a little over a year ago and remains in progress. Optus also faces a class action suit filed in late 2024 that seeks direct compensation for customers who were primarily impacted by having to change identity documents to protect their personal information, something that has become unfortunately common for Australians in the wake of major data breaches in recent years.
The privacy regulator’s suit is along similar terms of the one filed last year by ACMA in alleging that Optus failed to take reasonable and necessary steps to protect customer personal information in the several years prior to the 2022 data breach. OAIC says that the company’s cybersecurity program was insufficient given its size, volume of sensitive records and overall risk profile.
Data breach penalty to be determined by Federal Court
At this point it is unclear exactly how much Optus ultimately might pay should the ruling go in favor of the privacy regulator. The Federal Court sets the penalty amount as part of its decision, based on perceived severity of the violations. Optus is generally seen to have been cooperative and timely about making necessary changes after the data breach, which could very well help it to avoid a very high penalty.
But the OAIC also appears to be seeking large penalties to send a message, given that Australia has suffered a seemingly ceaseless string of these sorts of massive data breaches for several years now. This is the first suit brought by the privacy regulator that could end with the defendant paying a very substantial amount of money. The maximum penalty per victim equates to about $1.4 million USD, though it is very unlikely the final total would be anywhere near this maximum as it would more than bankrupt the company. Optus shares only experienced a relatively small drop of about 0.5% on the news of the suit.
And while the 2022 data breach included sensitive information, it did not necessarily impact all 9.5 million customers equally. Most experienced the exposure of basic account contact information such as names, birth dates, addresses, phone numbers, and email addresses. A smaller subset had current and valid passport details, driver’s licence numbers, and/or Medicare card data exposed and ultimately published on the dark web. The data breach turned out to be the work of a Syndey teenager who was able to plea out of jail time due partially to his age and the fact that he did not receive any payments in response to the 93 attempts at blackmail that he made.
The ultimate determination will hinge on to what degree the court views Optus as having fell short of its Privacy Act 1988 requirements to protect this data. The case actually could have been much worse if the data breach had taken place after the end of 2022, as the revised privacy act terms introduced a much larger penalty cap per charge of $50 million. The 2022 data breach stemmed from a coding error introduced in 2018 that left an API open to the public internet without any kind of a credential check required for access. Optus did not detect the issue until the data breach happened years later.
Recent Privacy Act 1988 amendments have expanded the privacy regulator’s power to issue penalty notices, including failure to have compliant privacy policies and failing to allow platform users to interact anonymously. However, issues of alleged cybersecurity failure generally require the agency to pursue a civil penalty order in Federal Court. Optus has already paid an unspecified amount of compensation to customers for passport replacement costs and subscriptions to credit monitoring services, but has yet to pay a fine or fee in relation to the data breach.
