The Australian Information Commissioner (AIC) has initiated civil proceedings against telecommunications provider Optus due to a significant data breach in 2022 that exposed the personal data of approximately 9.5 million Australians.

The lawsuit accuses Optus of failing to implement reasonable security measures to protect customers’ sensitive information from unauthorized access and disclosure, in violation of Australia’s Privacy Act 1988. After a thorough investigation, the AIC concluded that Optus’ cybersecurity protocols did not adequately reflect the sensitivity and volume of the personal data it managed.

Australian Privacy Commissioner Carly Kind highlighted the risks related to external-facing websites and domains interacting with internal databases containing personal information, as well as vulnerabilities linked to third-party providers. She stressed the importance for all organizations handling personal data to establish robust, deeply integrated data governance and security practices to prevent exploitation by threat actors.

The AIC has requested the Federal Court impose a civil penalty on Optus, claiming a separate violation of the Privacy Act for each individual affected by the breach. The court can impose fines up to AUD 2.22 million per violation, potentially resulting in a massive financial penalty for Optus.

Although the maximum penalty per contravention was increased to AUD 50 million in December 2022, this increase does not apply in this case since the breaches occurred between October 17, 2019, and September 20, 2022. The AIC noted that the court will ultimately determine whether penalties are issued and their amounts.

Details of the 2022 Data Breach

Headquartered in Sydney, Optus publicly disclosed the cyberattack in September 2022, revealing that data belonging to nearly 10 million current and former customers may have been compromised.

The stolen information reportedly included highly sensitive personally identifiable data, such as:

• Full names, birth dates, home addresses, phone numbers, and email addresses
• Government-issued identifiers including passport numbers, driver’s license numbers, Medicare card numbers
• Birth and marriage certificate details
• Military, defense force, and police identification data

Despite the breach, Optus stated that it successfully prevented attackers from accessing payment information and account passwords.

Following the attack, the threat actors demanded a ransom to avoid selling the stolen data online. However, a hacker claiming responsibility later removed part of the stolen data from a breach forum, expressing apologies to around 10,000 Australians whose information had been leaked.

The breach was reportedly caused by a misconfigured API, which allowed unauthorized access to the dataset without any authentication requirements.

Optus’ Response

Optus has issued a statement saying it is reviewing the AIC’s allegations and reiterated its commitment to protecting customer data.

“Optus sincerely apologizes to our customers and the wider community for the 2022 cyber incident,” the company stated. “We work continuously to safeguard our customers’ information and have been actively minimizing any impacts resulting from this attack.”

Optus also acknowledged the evolving nature of cyber threats and emphasized ongoing investments in the security of its systems, customer data, and cyber defense capabilities.

This case underscores the critical importance of maintaining strong cybersecurity governance, particularly for organizations managing vast amounts of sensitive personal data. The outcome of the legal proceedings will likely have far-reaching implications for data protection enforcement in Australia and highlight the ongoing challenges companies face in defending against sophisticated cyberattacks.

Source: https://www.infosecurity-magazine.com/news/australian-regulatory-sues-optus