The Australian Information Commissioner has launched civil penalty proceedings against telecommunications giant Optus over the massive 2022 data breach that exposed the personal data of 9.8 million customers—nearly 40% of the country’s population.
In a Friday media release, the Office of the Australian Information Commissioner (OAIC) said, “Optus failed to adequately manage cybersecurity and information security risk in a manner commensurate with the nature and volume of personal information that Optus held, the size of Optus, and the risk profile of Optus.”
Optus spokesperson told The Cyber Express, “[The Company] will review and consider the matters raised in the proceedings and will respond to the claims made by the AIC in due course.”
The breach, disclosed in September 2022, saw sensitive customer data including names, birthdates, phone numbers, email addresses, and—in some cases—passport and Medicare details exposed. As reported earlier, attackers accessed this trove of information through a publicly exposed API that did not require authentication, which cybersecurity experts later described as a “basic” and “preventable” oversight.
Also read: 2022 Optus Data Breach Could Have Been Averted Four Years Prior, Says Australian Telecom Watchdog
The OAIC’s investigation focused on whether Optus took reasonable steps to protect the personal data it held, including data retention and destruction practices, and whether it complied with Australian Privacy Principle (APP) 11.1. This principle requires organisations to take active measures to prevent unauthorised access or disclosure of personal information.
OAIC Alleges “Serious Interference” with Privacy
Commissioner Carly Kind stated that the OAIC’s investigation concluded Optus had “seriously interfered” with the privacy of customers by failing to adequately secure the personal information it held.
The release of personal information can cause serious harm to affected individuals. It also erodes public trust in how organisations handle personal data, Kind said.
The main reason behind the OAIC seeking penalties from the Federal Court is to promote accountability and drive compliance with privacy laws. If successful, the case could result in penalties running into the millions of dollars.
Deloitte Review Raised Red Flags
In the wake of the breach, Optus commissioned Deloitte to conduct an independent review of the incident. While Optus declined to release the full report to the public citing legal privilege, a Federal Court ruling in 2024 allowed affected customers to access sections of the report to support class-action lawsuits.
Read: Federal Court Denies Optus Appeal to Withhold Deloitte Report on 2022 Cyberattack
That report reportedly identified significant governance, risk management, and technical failings, including the failure to decommission old systems and insufficient internal access controls.
Optus, which is owned by Singaporean telco Singtel, has repeatedly stated that it was the victim of a cyberattack and has argued that the breach was not due to negligence. However, this latest action by the OAIC signals that Australian regulators view the case through the lens of preventable systemic failure, not just external intrusion.
Legal, Financial, and Reputational Fallout
The civil action comes amid growing scrutiny over corporate data practices in Australia. The Optus breach was soon followed by major incidents at Medibank and Latitude Financial, prompting government inquiries and calls for tougher penalties under the Privacy Act.
Under current legislation, the OAIC can seek penalties of up to AU$2.22 million per contravention. The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which passed after the breach, now allows for penalties of up to AU$50 million, though the Optus case will proceed under the laws that existed at the time of the breach.
Optus has also faced at least two major class-action lawsuits since 2022. Law firms representing affected customers have cited emotional distress, identity theft, and financial fraud stemming from the exposure of personal data.
“Optus Apologizes”
The Optus spokesperson said the company “apologizes again” to its customers for the 2022 cyberattack.
“We strive every day to protect our customers’ information and have been working hard to minimise any impact the cyber-attack may have had. We continue to recognise that as the cyber threat environment evolves, the security of our customers and their personal information has never been more important.
When asked about what measures the company has taken to avert any future incidents of the same capacity, the spokesperson declined to further comment citing the matter being in Australian Courts but said, “We will continue to invest in the security of our customers’ information, our systems, and our cyber defence capabilities.”
What’s Next?
The Federal Court will now decide whether Optus failed to meet its obligations under the Privacy Act, and if so, what penalties are appropriate. The case is expected to set a precedent for how Australian regulators—and potentially global authorities—treat negligent data stewardship in critical industries.
Kind said: “The Optus data breach highlights some of the risks associated with external-facing websites and domains, particularly when these interact with internal databases holding personal information, as well as the risks around using third-party providers.
“All organisations holding personal information need to ensure they have strong data governance and security practices. These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit.”
This action also raises important questions for all companies handling personal data. How long is too long to store sensitive information, and what constitutes “reasonable steps” to protect it?
For now, the OAIC is clear in its stance that compliance is not optional, and failure to meet the bar can lead to serious legal and financial consequences.
