The Australian Communications and Media Authority (ACMA) has launched legal action against Optus over its 2022 data breach, in which more than 10 million current and former customers had personal information stolen by hackers.

In a statement, ACMA said it had filed Federal Court proceedings against Australia's second largest telecommunications company, which is owned by Singaporean company Singtel.

“We allege that during a data breach which occurred between 17 to 20 September 2022, Optus failed to protect the confidentiality of its customers’ personal information from unauthorised interference or unauthorised access as required under the Telecommunications (Interception and Access) Act 1979 (Cth),” it said.

ACMA said it would not comment further, as the matter was before the court.

In a statement to Information Age, Optus said it intended to defend itself against the proceedings but could not determine the penalties it may face.

“Optus has previously apologised to its customers and has taken significant steps, including working with the police and other authorities, to protect them,” the company said.

“It also reimbursed customers for the cost of replacing identity documents."

Optus has previously said 2.1 million Australians had identification numbers for documents like driver’s licences and passports compromised in the 2022 breach.

Around 10,000 customers also allegedly had their details exposed on the dark web.

Cyber attack cost millions

In a financial statement, Optus' parent company Singtel said costs associated with cyber attacks in Australia totalled 142 million Singapore dollars ($159 million) for the year to 31 March, 2023.

The statement noted that the 2022 cyber attack was the subject of regulatory investigations and class action proceedings, which “could give rise to regulatory actions, penalties, potential claims and/or litigation” and damages.

Class action law firm Slater and Gordon commenced a lawsuit against Optus in April 2023, on behalf of individuals whose data was breached.

Its claim accuses Optus of “breaching privacy, telecommunication and consumer laws as well as the company’s internal policies”.

The federal government says it is investing billions of dollars in cyber security initiatives, and has increased financial penalties for companies that report serious or repeated privacy breaches.

The Office of the Australian Information Commissioner (OAIC) has also been given stronger powers to resolve breaches and quickly inform affected customers.

In Singtel’s financial results for the year ending March 31, 2024, CEO Yuen Kuan Moon said Optus was also “recovering well” from its November 2023 network outage, which saw most of its customers lose connectivity for more than 12 hours.

In an earnings document released on Thursday, Optus reported stable revenue for the year to 31 March, 2024, adding 116,000 mobile customers but seeing a decline in margins for fixed services with enterprise customers.

Interim CEO and CFO Michael Venter said the results showed the brand was “working hard to rebuild the trust of customers after a challenging 18 months”.

The 2022 data breach and 2023 network outage saw former Optus CEO Kelly Bayer Rosmarin resign in November.

Current NBN boss Stephen Rue is set to take over as Optus CEO from November 2024.