Latest news with #ElizabethTydd
7NEWS
a day ago
- Business
- 7NEWS
Privacy commissioner AOIC sues telco Optus over data breach of 9.5 million customers in Australian
Optus seriously interfered with the privacy of about 9.5 million Australians in failing to protect their data, and could face hefty fines for each breach in new court action. The Office of the Australian Information Commissioner (OAIC) has filed Federal Court proceedings against the telco for the September 2022 cyber attack, which resulted customers' private data - including home addresses, birth dates, phone numbers and email addresses - finding its way to the dark web. Optus failed to take reasonable steps to protect users' data, breaching the telco's obligations under the Privacy Act, chief commissioner Elizabeth Tydd said. 'Organisations hold personal information within legal requirements and based upon trust,' she said. 'The Australian community should have confidence that organisations will act accordingly, and if they don't the OAIC as regulator will act to secure those rights.' The action comes after the organisation's investigation following the attack. Optus said it would review and consider the matters raised in the proceedings and would respond to the OAIC's claims in due course. 'Optus apologises again to our customers and the broader community that the 2022 cyber-attack occurred,' a spokesman said in a statement. 'We strive every day to protect our customers' information and have been working hard to minimise any impact the cyber attack may have had.' The Federal Court can impose a civil penalty of up to $2.22 million for each contravention of the Act, and the OAIC is alleging one breach for each of the approximately 9.5 million individuals impacted. Imposing the maximum penalty for all victims would be impossible, since Optus' Singapore-listed owner Singtel has a total market value of about $101.5 billion. The breach highlighted some of the risks associated with external-facing websites, particularly when they interacted with internal databases holding personal information, Australian Privacy Commissioner Carly Kind said. 'All organisations holding personal information need to ensure they have strong data governance and security practices,' she said. 'These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit.'
7NEWS
a day ago
- Business
- 7NEWS
Privacy commissioner sues Optus over data breach
Optus seriously interfered with the privacy of about 9.5 million Australians in failing to protect their data, and could face hefty fines for each breach in new court action. The Office of the Australian Information Commissioner (OAIC) has filed Federal Court proceedings against the telco for the September 2022 cyber attack, which resulted customers' private data - including home addresses, birth dates, phone numbers and email addresses - finding its way to the dark web. Optus failed to take reasonable steps to protect users' data, breaching the telco's obligations under the Privacy Act, chief commissioner Elizabeth Tydd said. 'Organisations hold personal information within legal requirements and based upon trust,' she said. 'The Australian community should have confidence that organisations will act accordingly, and if they don't the OAIC as regulator will act to secure those rights.' The action comes after the organisation's investigation following the attack. Optus said it would review and consider the matters raised in the proceedings and would respond to the OAIC's claims in due course. 'Optus apologises again to our customers and the broader community that the 2022 cyber-attack occurred,' a spokesman said in a statement. 'We strive every day to protect our customers' information and have been working hard to minimise any impact the cyber attack may have had.' The Federal Court can impose a civil penalty of up to $2.22 million for each contravention of the Act, and the OAIC is alleging one breach for each of the approximately 9.5 million individuals impacted. Imposing the maximum penalty for all victims would be impossible, since Optus' Singapore-listed owner Singtel has a total market value of about $101.5 billion. The breach highlighted some of the risks associated with external-facing websites, particularly when they interacted with internal databases holding personal information, Australian Privacy Commissioner Carly Kind said. 'All organisations holding personal information need to ensure they have strong data governance and security practices,' she said. 'These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit.'
Perth Now
2 days ago
- Business
- Perth Now
Privacy commissioner sues Optus over data breach
Optus seriously interfered with the privacy of about 9.5 million Australians in failing to protect their data, and could face hefty fines for each breach in new court action. The Office of the Australian Information Commissioner (OAIC) has filed Federal Court proceedings against the telco for the September 2022 cyber attack, which resulted customers' private data - including home addresses, birth dates, phone numbers and email addresses - finding its way to the dark web. Optus failed to take reasonable steps to protect users' data, breaching the telco's obligations under the Privacy Act, chief commissioner Elizabeth Tydd said. "Organisations hold personal information within legal requirements and based upon trust," she said. "The Australian community should have confidence that organisations will act accordingly, and if they don't the OAIC as regulator will act to secure those rights." The action comes after the organisation's investigation following the attack. Optus said it would review and consider the matters raised in the proceedings and would respond to the OAIC's claims in due course. "Optus apologises again to our customers and the broader community that the 2022 cyber-attack occurred," a spokesman said in a statement. "We strive every day to protect our customers' information and have been working hard to minimise any impact the cyber attack may have had." The Federal Court can impose a civil penalty of up to $2.22 million for each contravention of the Act, and the OAIC is alleging one breach for each of the approximately 9.5 million individuals impacted. Imposing the maximum penalty for all victims would be impossible, since Optus' Singapore-listed owner Singtel has a total market value of about $101.5 billion. The breach highlighted some of the risks associated with external-facing websites, particularly when they interacted with internal databases holding personal information, Australian Privacy Commissioner Carly Kind said. "All organisations holding personal information need to ensure they have strong data governance and security practices," she said. "These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit."
ABC News
2 days ago
- Business
- ABC News
Optus sued by privacy regulator in warning to Australian corporates to protect data or face fines
Optus could face another hefty penalty, as the privacy watchdog sues the telco over the 2022 cyber attack that exposed the data of around 9.5 million Australians. The Office of the Australian Information Commissioner (OAIC) has filed civil penalty proceedings in the Federal Court, alleging Optus breached privacy laws by failing to properly protect consumers' data. The OAIC has alleged that for a nearly three-year period until September 2022, when the breach occurred as the result of a cyber attack, Optus "seriously interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure" under the Privacy Act. The regulator has claimed Optus failed to manage cybersecurity and information security adequately for an organisation of its size, for the volume of personal information it held and for the company's "risk profile". "The commencement of these proceedings confirms that the [Office of the Australian Information Commissioner] will take the action necessary to uphold the rights of the Australian community," one of the commissioners, Elizabeth Tydd, said. "Organisations hold personal information within legal requirements and based upon trust. "The Australian community should have confidence that organisations will act accordingly, and if they don't, the OAIC as regulator will act to secure those rights." An Optus spokesperson said the company was reviewing the matters raised in the proceedings and will respond to the claims "in due course". "Optus apologises again to our customers and the broader community that the 2022 cyber-attack occurred," the statement to ABC News read. The telco said it had been "working hard" to minimise the impact of the 2022 incident and "will continue to invest in the security of our customers' information, our systems, and our cyber defence capabilities". The theoretical fine the telco may face could reach into trillions of dollars, as the Federal Court can impose a civil penalty of up to $2.22 million for each contravention under the Privacy Act. The OAIC said it was alleging one contravention for "each of the 9.5 million individuals whose privacy it alleges Optus seriously interfered with", but the regulator noted any penalty was a matter for the court to determine. A body representing communications consumers, ACCAN, welcomed the action by the OAIC and said it sent a "clear message" to the sector, with "trillions at stake for Optus". "We have a long way to go to remedy the sorts of practices and behaviours we have seen from Optus over the past few years," ACCAN chief executive Carol Bennett said. Optus has already faced legal proceedings over the high-profile attack and last year said it intended to defend claims by the Australian Communications and Media Authority (ACMA) that it failed to protect confidential details in its database. In June, Optus agreed to pay a $100 million penalty after it admitted to inappropriate sales practices and misconduct, following legal proceedings brought by the consumer watchdog in an unrelated matter. Jamieson O'Reilly, the founder of a firm that companies pay to find IT vulnerabilities, welcomed the court action over one of Australia's most significant data breaches. "I do believe these civil proceedings are a net positive to the cyber security of Australian companies. "Many times, historically, private companies have effectively gotten away with exposing their customer information," he told ABC News. Privacy and data security have remained in the headlines following the 2022 Optus cyber attack, with Australian and global corporates continuing to face hacks and breaches. In recent months, the information of 5.7 million Qantas customers was compromised in a cyber attack on the airline's systems. Mr O'Reilly, the founder of Dvuln, said civil penalties did act as a deterrent and encouraged companies to take cybersecurity seriously. "Traditionally, security leaders in organisations struggle to get money from the board to invest in cybersecurity, this allows them to have something to go to the board and say if we don't invest in cybersecurity, this is what happens." Mr O'Reilly said consumers could also help hold companies to account by taking their business elsewhere. "After the shock and awe of the event, if customers don't have the time or effort to pursue legal and civil action, or leave the company, that also sends a message to the board that they don't have to take it [cybersecurity] as seriously"
Sky News AU
2 days ago
- Business
- Sky News AU
Optus sued over 2022 data breach that exposed data of 9.5m people
Optus is being sued for allegedly failing to protect the data of 9.5 million people. The Australian Information Commissioner announced on Friday it was launching the legal action. The case stems from a data breach in September 2022. The Information Commissioner will argue Optus failed to adequately manage cybersecurity and information security risk. 'Organisations hold personal information within legal requirements and based upon trust,' commissioner Elizabeth Tydd said. 'The Australian community should have confidence that organisations will act accordingly, and if they don't, the OAIC as regulator will act to secure those rights.' An Optus spokesperson said the company would 'consider the matters raised in the proceedings and will respond to the claims made by the AIC in due course'. 'Optus apologises again to our customers and the broader community that the 2022 cyber attack occurred,' the spokesperson said. 'We strive every day to protect our customers' information and have been working hard to minimise any impact the cyber attack may have had.' Optus would keep investing in security, the spokesperson said, and the cyber threat environment was evolving. 'As the matter is now before the Australian courts, Optus will not be commenting further at this time,' they said. Australian Privacy Commissioner Carly Kind said strong data governance and security needed to be embedded in organisations. 'To guard against vulnerabilities that threat actors will be ready to exploit,' Ms Kind said. The lawsuit alleges that from on, or around October 17, 2019 to September 20, 2022, Optus seriously interfered with the privacy of about 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. The case is being pursued as an alleged breach of the Privacy Act 1988. The Information Commission alleges Optus failed to adequately manage cybersecurity and information security risk in a manner commensurate with the nature and volume of personal information that Optus held, the company's size and its risk profile. In September 2022 a cybercriminal stole personal information of 9.5 million current and former Optus customers. The data included names, birthdays, phone numbers, passport numbers, email addresses, driver's licence numbers, government identifiers, Medicare numbers, birth certificate information, marriage certificate information, and military and police identification information. The Federal Court can fine a company $2.22m for each contravention of the type in this lawsuit. The Australian Information Commissioner is alleging each of the 9.5 million customers should be treated as an individual contravention. Optus is wholly owned by Singapore Telecommunications Limited (Singtel), which in turn is majority-owned by the investment arm of the Singapore government. Originally published as Optus sued over 2022 data breach that exposed data of 9.5m people
