Parliament House in the evening in Canberra, Australia showing privacy rules review due to Optus data breach

Massive Optus Data Leak Prompts New Privacy Rules in Australia

A recent data breach that is estimated to have leaked the personal information of about 40% of Australia’s population is prompting reforms, as Prime Minister Anthony Albanese called for swift action on stronger privacy rules for corporations.

The breach of Optus, the second-largest telecoms company in the country, created a leak of about 10 million records of personal information. This included sensitive information that scammers and identity thieves would be very interested in, such as driver’s license and passport numbers paired with home addresses. The hacker claims to have offered up the data on the dark web for sale, though this has not yet been independently verified.

Australia eyeing new privacy rules for banks as an immediate step

Albanese indicated that banks will be a priority for new privacy rules, with a focus on notification requirements that allow for faster and more automatic protection of accounts when data breaches of this nature occur.

There are few details available about how the breach unfolded or who might have been behind it, other than that the attacker cycled through IP addresses in Europe and later showed up on the dark web demanding $1 million for the return of the stolen information. Customer account information with personally identifiable elements was taken, but it does not appear that this included payment information or passwords. Records dating back as far as 2017, including former customers that have left the service, may be impacted as the company is legally required to hold on to this information for six years after account deactivation.

Cybersecurity Minister Clare O’Neil placed blame for the data breach squarely on the shoulders of Optus, noting that privacy laws in other nations (such as the EU’s General Data Protection Regulation) would have resulted in massive fines for the company. O’Neil indicated that her agency would be focusing on new requirements for the nation’s telecoms companies going forward, which could include new privacy rules. She also noted that this sort of incident could bring fines of “hundreds of millions of dollars” in other countries, a likely reference to numerous GDPR fines on big tech firms that have had lapses of a similar scale.

For its part, Optus has said little about the breach publicly but has offered its “most impacted” customers a year of free credit monitoring and identity protection. It is still not known exactly how customers qualify for this or how many will qualify. The company has said that it has reached out to customers that had driver’s license or passport numbers exposed via email and SMS.

Optus has repeatedly opposed proposed changes to Australia’s digital privacy laws, arguing that granting customers the right to have data deleted upon request would be technically difficult and too costly. It has also recently argued that a consumer right to legal action would spark frivolous lawsuits and would not ultimately serve the purpose of empowering consumers to control the use of their personal information.

Digital privacy rules overdue as changes to 1988 privacy law debated

Australia does not have a national law that specifically addresses digital privacy and protection of sensitive information, but some limited regulations that apply to these areas are present in the 1988 Privacy Act. That law was obviously not designed with the modern internet landscape in mind, however, and to this point updates to address the digital world have largely been left to the individual states and territories. This has led to a patchwork of regulations popping up since 1998, as different territories have opted for different standards (and some for none at all).

In 2020 the Morrison government initiated a review of the Privacy Act with an eye toward modernizing it and establishing national privacy rules of this nature, undertaking a national canvas to gather opinions on data access rights and the right to legal action against companies that are breached. Attorney general Mark Dreyfus has recently said that his office is in the final stages of this review.

A related issue that has raised some controversy is the Online Privacy Bill, which has been touted as part of the general strengthening of Privacy Act protections but has caused concerns about online anonymity. The bill’s central focus is new privacy rules for the major social media platforms, and it seeks to enforce minimum age requirements through verification (and require parental consent for users under the age of 16). These terms have stoked some concerns raised by an earlier April 2021 proposal that government photo ID be required to create a social media account.

While the shape of eventual national privacy rules in Australia still remains unclear, the assorted legislation introduced since 2020 along with a pledge to spend $1.1 billion on network infrastructure security by 2030 indicates that the issue is a priority for the government. If the terms of the Online Privacy Bill hold up, organizations in Australia could be looking at GDPR-like fines of up to $10 million or 10% of domestic annual turnover. A discussion paper that has been in the works since late 2020 has come up with 67 proposals that will require individual review, and only some of these could wind up making it into the final legislation.