Optus apologises again for 2022 data breach, defers comment on OAIC lawsuit
Make us a preferred source
Make us a preferred source on Google
More news: Optus has apologised again for the massive data breach its customers were affected by in 2022, but deferred from commenting on Federal Court filings made by privacy watchdog OAIC that alleges it contravened the Privacy Act in the lead up to the incident.
An Optus spokesperson said it “will review and consider the matters raised in the proceedings and will respond to the claims made by the [Australian Information Commissioner] in due course”.
They also said the telecommunications business recognises “that as the cyber threat environment evolves, the security of our customers and their personal information has never been more important” and will “continue to invest in the security of our customers’ information, our systems, and our cyber defence capabilities”.
“As the matter is now before the Australian Courts, Optus will not be commenting further at this time.”
OAIC sues Optus for alleged failings in lead up to 2022 data breach
The news: Privacy watchdog the Office of the Australian Information Commissioner (OAIC) has filed civil penalty proceedings against Optus alleging the telecommunications company of breaching the Privacy Act over a three-year period prior to a massive data breach in 2022.
The context: On 22 September 2022, Optus announced it had been hit by a data breach that is estimated to have affected nearly 10 million people.
It affected personal information of current, former and prospective Optus customers. Some of this information was released on the dark web.
Following an investigation, the OAIC has now filed civil penalty proceedings in the Federal Court against Singtel Optus and Optus Systems alleging the telecommunications company breached the Privacy Act by failing to “take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure”.
The regulator claims Optus did not manage cybersecurity and information risks adequately given the nature and volume of personal information held as well as Optus’ size and risk profile.
The period in which Optus allegedly “seriously interfered with the privacy of approximately 9.5 million Australians” is between 17 October 2019 and 20 September 2022.
The Australian Communications and Media Authority has also sued Optus for a breach of the Telecommunications Act in the lead up to the 2022 data breach.
What they said: “The commencement of these proceedings confirms that the OAIC will take the action necessary to uphold the rights of the Australian community,” said Australian Information Commissioner Elizabeth Tydd.
“Organisations hold personal information within legal requirements and based upon trust. The Australian community should have confidence that organisations will act accordingly, and if they don’t the OAIC as regulator will act to secure those rights.”
The source: OAIC media release
