Privacy Regulator’s Suit Could Mean Possible Huge Penalties for Optus Over 2022 Data Breach

The Optus data breach of 2022 was one of the largest in Australia’s history, impacting millions of customers, but as of yet financial penalties have not rolled in. That may soon change as the national privacy regulator has filed for civil penalties that could do serious damage to the company’s bottom line if the Federal Court opts for a severe decision.

Though the final penalty (if any) will not likely be anywhere near this high, the rules provide for fines of up to AUD 2.2 million per impacted customer. And the privacy regulator is seeking to treat each of about 9.5 million customers as an individual data breach for fine purposes, as it looks to make examples of some of the largest breach victims that caused mass chaos and are believed to have contributed to their incidents with a negligent failure to maintain adequate cybersecurity posture.

Eye-popping max data breach penalties, but Optus payment will likely be much more modest

At this point the privacy regulator has only determined that it will be seeking a penalty for each customer that had some personal and contact information exposed. It is impossible to determine what the fine amount will be, as the Federal Court would determine that. The privacy regulator is seeking to assess some large penalties to companies that have had alleged negligence contribute to massive data breaches, but Optus has also been seen as cooperative and accommodating in the wake of its 2022 incident and has also invested in both some forms of compensation for victims and cybersecurity improvements. Also, only a portion of the 9.5 million records contained sensitive personal information such as passport details, driver’s licence numbers, and Medicare card data that were current; the majority of victims had basic contact information and birth dates exposed.

Optus is also “grandfathered in” to older Privacy Act 1988 terms that cap the fine per incident at $2.2 million; rules that went active at the end of 2022 upped that maximum to $50 million, but only for data breaches that took place from that point forward.

Privacy regulator alleges inadequate cybersecurity by Optus

The Federal Court decision will mostly come down to a determination of exactly how negligent Optus was in its cybersecurity responsibilities. At least when judging from publicly available information, the case does not look good for the telecom giant. The data breach began in 2018, when an API was errantly left open to the public internet without requiring credentials. This went below the radar until a Sydney hacker hit upon it in 2022, exploiting it to scrape records that should have been secured and using about 93 of them to attempt blackmail before being caught.

The Australian Communications and Media Authority (ACMA) opened a similar suit using its own regulatory powers last year, the results of which have not yet been determined. That suit also centered on Optus’ alleged failure to meet required standards to protect stored personal information from unauthorized access. Optus is also up against a class action suit filed last year by victims that were forced to have government identity documents changed due to exposure.

The privacy regulator is also considering the size, amount and type of personal data handled, and total risk profile in its regulation of Optus, all things that will likely weigh into any eventual penalty. Optus is the second-largest telecom in Australia and has grown somewhat since the 2022 data breach, now serving over 11 million regional customers and deep into plans to roll out service across 100% of the country by partnering with Elon Musk’s Starlink.