Australian regulator sues telecom giant Optus over massive 2022 data breach

The Australian Information Commissioner has launched legal action against Optus, alleging the telecommunications giant failed to adequately protect the personal data of millions of customers in one of the nation’s most severe cyberattacks.

The civil penalty proceedings, filed in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited, accuse the Singapore Telecommunications-owned carrier of breaching the Privacy Act 1988 between October 2019 and September 2022. Regulators claim the company’s inadequate cybersecurity measures led to the September 2022 breach that compromised sensitive information of about 9.5 million people.

The attack, revealed publicly on September 22, 2022, exposed names, addresses, phone numbers, email addresses, and government-issued identifiers such as passport and driver’s licence numbers. In some cases, the stolen data later appeared on the dark web. Approximately 40 percent of Australia’s population was affected, with many experiencing service disruptions to mobile, broadband, and landline networks.

Australian Information Commissioner Elizabeth Tydd said the case underscores the regulator’s commitment to protecting citizens’ rights. “Organisations hold personal information within legal requirements and based upon trust,” she said. “If they don’t act accordingly, the OAIC will act to secure those rights.”

Privacy Commissioner Carly Kind warned that the incident highlighted the dangers of vulnerable external-facing systems and the need for robust data governance. “Businesses need to be extremely vigilant to the significant threats and risks in today’s cyber landscape,” she said.

The Privacy Act permits fines of up to A$2.2 million per breach, meaning potential penalties could reach extraordinary sums if the court rules against Optus. The Australian Information Commissioner has not disclosed the total damages sought. Optus said it is reviewing the claims but has not assessed the financial implications.

The fallout from the breach has been far-reaching. The incident spurred Prime Minister Anthony Albanese to push for stronger privacy protections, including faster breach notifications to banks. Public criticism intensified in 2023 after a 12-hour nationwide outage, ultimately leading to the resignation of CEO Kelly Bayer Rosmarin.

This is not the first time Optus has faced court over the cyberattack. The domestic media regulator initiated separate proceedings in May 2024. The outcome of the latest case could set a significant precedent for how Australian companies manage and secure personal data in an era of escalating cyber threats.