Australian Regulator Sues Optus Over 2022 Data Breach – Source: www.infosecurity-magazine.com

The Australian Information Commissioner (AIC) has launched civil action against Optus for a 2022 data breach that exposed the personal details of 9.5 million Australians.

The lawsuit alleges that telecommunications firm Optus failed to take reasonable steps to protect victims’ personal information from unauthorized access and disclosure, in breach of Australia’s Privacy Act 1988.

Following an investigation, the AIC concluded that Optus’ security practices were not commensurate with the nature and volume of personal information held by telecoms provider.

Australian Privacy Commissioner, Carly Kind, commented: “the Optus data breach highlights some of the risks associated with external-facing websites and domains, particularly when these interact with internal databases holding personal information, as well as the risks around using third-party providers.”

She continued: “All organizations holding personal information need to ensure they have strong data governance and security practices. These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit.”

The AIC has applied to the Federal Court to impose a civil penalty order against Optus, alleging one contravention of the Privacy Act for each of the 9.5 million victims.

The court has the power to impose up to $2.22m for each contravention, meaning Optus could face an enormous financial penalty.

In December 2022, the maximum civil penalty that can be imposed was increased to $50m per contravention. However, this will not apply in this case as the alleged contraventions occurred from 17 October 2019 to 20 September 2022.

“Whether a civil penalty order is made, and the amount, are matters before the court,” the AIC noted in a release dated August 8.

Read now: Australian Regulator Alleges Financial Firm Exposed Clients to Unacceptable Cyber Risks

Optus’ Mass Data Breach in the Spotlight

Sydney headquartered Optus disclosed it had been hit by a cyber-attack in September 2022, revealing that nearly 10 million current and former customers’ data may have been accessed.

It emerged that this data included sensitive personally identifiable information, including:

• Names, dates of birth, home addresses, phone numbers and email addresses
• Government related identifiers, including passport numbers, driver’s licence numbers, Medicare card numbers, birth certificate information, marriage certificate information, and armed forces, defence force and police identification information

Optus said it was able to prevent the hackers from stealing customers’ payment details and account passwords.

The attackers reportedly issued Optus a ransom demand to prevent the data from being sold online. However, shortly afterwards, a hacker claiming responsibility for the hack appeared to take down a database containing some of the stolen information on BreachForums, apologizing to the 10,000 Australians whose data had been leaked.

The attackers reportedly exploited a misconfigured API to access the dataset without requiring any authentication.

Optus Response to Lawsuit

In a statement, Optus said it is reviewing the AIC claims.

“Optus apologises again to our customers and the broader community that the 2022 cyber attack occurred. We strive every day to protect our customers’ information and have been working hard to minimise any impact the cyber attack may have had,” the company stated.

It added: “We continue to recognise that as the cyber threat environment evolves, the security of our customers and their personal information has never been more important. We will continue to invest in the security of our customers’ information, our systems, and our cyber defence capabilities.”

Image credit: T. Schneider / Shutterstock.com

The Australian Information Commissioner (AIC) has launched civil action against Optus for a 2022 data breach that exposed the personal details of 9.5 million Australians.

The lawsuit alleges that telecommunications firm Optus failed to take reasonable steps to protect victims’ personal information from unauthorized access and disclosure, in breach of Australia’s Privacy Act 1988.

Following an investigation, the AIC concluded that Optus’ security practices were not commensurate with the nature and volume of personal information held by telecoms provider.

Australian Privacy Commissioner, Carly Kind, commented: “the Optus data breach highlights some of the risks associated with external-facing websites and domains, particularly when these interact with internal databases holding personal information, as well as the risks around using third-party providers.”

She continued: “All organizations holding personal information need to ensure they have strong data governance and security practices. These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit.”

The AIC has applied to the Federal Court to impose a civil penalty order against Optus, alleging one contravention of the Privacy Act for each of the 9.5 million victims.

The court has the power to impose up to $2.22m for each contravention, meaning Optus could face an enormous financial penalty.

In December 2022, the maximum civil penalty that can be imposed was increased to $50m per contravention. However, this will not apply in this case as the alleged contraventions occurred from 17 October 2019 to 20 September 2022.

“Whether a civil penalty order is made, and the amount, are matters before the court,” the AIC noted in a release dated August 8.

Read now: Australian Regulator Alleges Financial Firm Exposed Clients to Unacceptable Cyber Risks

Optus’ Mass Data Breach in the Spotlight

Sydney headquartered Optus disclosed it had been hit by a cyber-attack in September 2022, revealing that nearly 10 million current and former customers’ data may have been accessed.

It emerged that this data included sensitive personally identifiable information, including:

• Names, dates of birth, home addresses, phone numbers and email addresses
• Government related identifiers, including passport numbers, driver’s licence numbers, Medicare card numbers, birth certificate information, marriage certificate information, and armed forces, defence force and police identification information

Optus said it was able to prevent the hackers from stealing customers’ payment details and account passwords.

The attackers reportedly issued Optus a ransom demand to prevent the data from being sold online. However, shortly afterwards, a hacker claiming responsibility for the hack appeared to take down a database containing some of the stolen information on BreachForums, apologizing to the 10,000 Australians whose data had been leaked.

The attackers reportedly exploited a misconfigured API to access the dataset without requiring any authentication.