Optus sued over big breach
The Australian Communications and Media Authority (ACMA) has initiated Federal Court proceedings against telecommunications giant Optus.
AMCA is taking action over breaches of customer data protection laws following a significant cyberattack in September 2022.
The attack compromised personal data of approximately 10 million current and former customers, marking one of the most severe cyber incidents in Australian history.
ACMA's lawsuit alleges that Optus failed to secure personally identifiable information (PII), which included driver’s licences, passport numbers, home addresses, and dates of birth.
The regulator claims this breach violated the Australian Telecommunications (Interception and Access) Act.
On the day of the breach, around 40 per cent of Optus' customer base experienced service disruptions.
Hackers demanded a ransom of $1.5 million to prevent the data from being sold online. In a surprising turn, the hackers later withdrew their ransom demand and issued an apology.
This incident prompted the Australian government to implement stricter penalties for severe or repeated data protection failures.
Organisations now face fines exceeding $50 million if they do not adequately safeguard customer data.
The fallout from the cyberattack led to significant changes in Optus' leadership.
Kelly Bayer Rosmarin, the chief executive during the breach, resigned in November 2023 following a subsequent mass outage.
Stephen Rue, currently the CEO of NBN Co, is slated to assume the role of Optus CEO in November 2024.
“At this stage, Optus Mobile is not able to determine the quantum of penalties, if any, that could arise,” Optus’ parent company Singtel said in a statement to investors.
The company says it is committed to defending the proceedings and highlighted the steps taken to protect customers post-breach, including collaboration with police and other authorities.
Optus is also entangled in a legal battle to prevent a Deloitte report on the breach from being disclosed as part of a class action lawsuit led by law firm Slater and Gordon.