Telecommunications giant Optus faces potential civil penalties of up to $20.9 trillion after the Office of the Australian Information Commissioner (OAIC) sued the company over its 2022 data breach, alleging that it “did not take reasonable steps” to protect the data of 9.5 million customers.
Cybercriminals stole those customers’ personal data during the breach – including 2.1 million who were at high risk of identity theft after their driver licence and passport details were compromised – and ultimately demanded $US1 million before apologising and pulling the data from sale.
After an investigation, the privacy regulator now alleges that Optus “seriously interfered with the privacy” of the victims “by failing to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification, or disclosure.”
This, the OAIC claims, violates s13G of the Privacy Act 1988 – which provides for a penalty of up to $2.22 million per “serious” interference with privacy – and the OAIC said it will pursue damages for each of the 9.5 million affected customers, leading to theoretical civil damages of $20.9 trillion.
“The commencement of these proceedings confirms that the OAIC will take the action necessary to uphold the rights of the Australian community,” Australian Information Commissioner Elizabeth Tydd said in announcing the action.
Optus, her office alleges, “failed to adequately manage cybersecurity and information security risk in a manner commensurate with the nature and volume of personal information that Optus held, the size of Optus, and the risk profile of Optus.”
“Organisations hold personal information within legal requirements and based on trust,” Tydd said, adding that “the Australian community should have confidence that organisations will act accordingly – and if they don’t, the OAIC as regulator will act to secure those rights.”
The latest chapter in a sorry saga
The Optus breach was the first in a spate of horror mega-breaches, with millions of Australians compromised as attacks on the likes of Medibank and Latitude Financial drove the government to crack down on what Minister for Cybersecurity Clare O’Neil famously called “scumbags”.
This led to calls for new cybersecurity rules, an increase in the maximum penalty for a data breach to $50 million, the passage last year of a formal Cyber Security Act, and remediation such as free credit monitoring and replacement of customer ID documents.
The $50 million penalty doesn’t apply in this case, the OAIC said, because that legislation didn’t come into effect until December 2022 and the alleged contraventions occurred between 17 October 2019 and 20 September 2022.
Cybercriminals exploited the stolen Medibank data in over 11,000 known fraud incidents, while the Optus data has been linked to over 300,000 fraud attempts.
Regulators have taken turns punishing breached companies, with ASIC suing firms like GetSwift and FIIG Securities while the OAIC last year filed charges against Medibank for its breach, which has already cost it over $125 million – not including a $250 million APRA penalty.
The new lawsuit against Optus follows a separate ACMA lawsuit over the breach – which drove a surge in complaints to industry overseer the TIO – as well as a recent $100 million fine the ACCC negotiated with Optus after a separate action for unconscionable conduct about its sales practices.
Inadequate data protections risk major fines for companies, with Australian Privacy Commissioner Carly Kind warning that “all organisations holding personal information need to ensure they have strong data governance and security practices [that are] both thorough and embedded.”
Third-party risks continue to grow
Those risks have turned the Optus breach into a cautionary tale for businesses that create application programming interfaces (APIs) to integrate their cloud-based business services with those of third parties – with the breach effected through an unprotected, publicly available API.
“An API should never be public-facing if it facilitates access to sensitive internal data or permits interactions with core business operations,” UpGuard cybersecurity content writer Edward Kost noted in a postmortem that also flagged the risks of linking APIs to sensitive customer data.
Optus also committed a cardinal sin of data security by using incremental customer identifiers, Kost said, meaning “the hacker was able to complete the data breach much faster and at a much larger scale than would have been possible if unique customer identifiers had been used.”
For all the lessons learned, Optus has struggled to get ahead of the breach and its fallout – with CEO Kelly Bayer Rosmarin resigning after a major outage, just months later, that led to separate fines and saw Optus repeatedly named one of Australia’s least trusted companies.
Optus “will review and consider the matters raised” in the OAIC lawsuit and will respond “in due course,” a company spokesperson told Information Age.
“We strive every day to protect our customers’ information and have been working hard to minimise any impact the cyberattack may have had,” an Optus spokesperson said.
