Latest news with #OAIC
7NEWS
3 days ago
- Business
- 7NEWS
Privacy commissioner AOIC sues telco Optus over data breach of 9.5 million customers in Australian
Optus seriously interfered with the privacy of about 9.5 million Australians in failing to protect their data, and could face hefty fines for each breach in new court action. The Office of the Australian Information Commissioner (OAIC) has filed Federal Court proceedings against the telco for the September 2022 cyber attack, which resulted customers' private data - including home addresses, birth dates, phone numbers and email addresses - finding its way to the dark web. Optus failed to take reasonable steps to protect users' data, breaching the telco's obligations under the Privacy Act, chief commissioner Elizabeth Tydd said. 'Organisations hold personal information within legal requirements and based upon trust,' she said. 'The Australian community should have confidence that organisations will act accordingly, and if they don't the OAIC as regulator will act to secure those rights.' The action comes after the organisation's investigation following the attack. Optus said it would review and consider the matters raised in the proceedings and would respond to the OAIC's claims in due course. 'Optus apologises again to our customers and the broader community that the 2022 cyber-attack occurred,' a spokesman said in a statement. 'We strive every day to protect our customers' information and have been working hard to minimise any impact the cyber attack may have had.' The Federal Court can impose a civil penalty of up to $2.22 million for each contravention of the Act, and the OAIC is alleging one breach for each of the approximately 9.5 million individuals impacted. Imposing the maximum penalty for all victims would be impossible, since Optus' Singapore-listed owner Singtel has a total market value of about $101.5 billion. The breach highlighted some of the risks associated with external-facing websites, particularly when they interacted with internal databases holding personal information, Australian Privacy Commissioner Carly Kind said. 'All organisations holding personal information need to ensure they have strong data governance and security practices,' she said. 'These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit.'
7NEWS
3 days ago
- Business
- 7NEWS
Privacy commissioner sues Optus over data breach
Optus seriously interfered with the privacy of about 9.5 million Australians in failing to protect their data, and could face hefty fines for each breach in new court action. The Office of the Australian Information Commissioner (OAIC) has filed Federal Court proceedings against the telco for the September 2022 cyber attack, which resulted customers' private data - including home addresses, birth dates, phone numbers and email addresses - finding its way to the dark web. Optus failed to take reasonable steps to protect users' data, breaching the telco's obligations under the Privacy Act, chief commissioner Elizabeth Tydd said. 'Organisations hold personal information within legal requirements and based upon trust,' she said. 'The Australian community should have confidence that organisations will act accordingly, and if they don't the OAIC as regulator will act to secure those rights.' The action comes after the organisation's investigation following the attack. Optus said it would review and consider the matters raised in the proceedings and would respond to the OAIC's claims in due course. 'Optus apologises again to our customers and the broader community that the 2022 cyber-attack occurred,' a spokesman said in a statement. 'We strive every day to protect our customers' information and have been working hard to minimise any impact the cyber attack may have had.' The Federal Court can impose a civil penalty of up to $2.22 million for each contravention of the Act, and the OAIC is alleging one breach for each of the approximately 9.5 million individuals impacted. Imposing the maximum penalty for all victims would be impossible, since Optus' Singapore-listed owner Singtel has a total market value of about $101.5 billion. The breach highlighted some of the risks associated with external-facing websites, particularly when they interacted with internal databases holding personal information, Australian Privacy Commissioner Carly Kind said. 'All organisations holding personal information need to ensure they have strong data governance and security practices,' she said. 'These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit.'
Canberra Times
3 days ago
- Canberra Times
Privacy commissioner sues Optus over data breach
The Federal Court can impose a civil penalty of up to $2.22 million for each contravention of the Act, and the OAIC is alleging one breach for each of the approximately 9.5 million individuals impacted.
Perth Now
3 days ago
- Business
- Perth Now
Privacy commissioner sues Optus over data breach
Optus seriously interfered with the privacy of about 9.5 million Australians in failing to protect their data, and could face hefty fines for each breach in new court action. The Office of the Australian Information Commissioner (OAIC) has filed Federal Court proceedings against the telco for the September 2022 cyber attack, which resulted customers' private data - including home addresses, birth dates, phone numbers and email addresses - finding its way to the dark web. Optus failed to take reasonable steps to protect users' data, breaching the telco's obligations under the Privacy Act, chief commissioner Elizabeth Tydd said. "Organisations hold personal information within legal requirements and based upon trust," she said. "The Australian community should have confidence that organisations will act accordingly, and if they don't the OAIC as regulator will act to secure those rights." The action comes after the organisation's investigation following the attack. Optus said it would review and consider the matters raised in the proceedings and would respond to the OAIC's claims in due course. "Optus apologises again to our customers and the broader community that the 2022 cyber-attack occurred," a spokesman said in a statement. "We strive every day to protect our customers' information and have been working hard to minimise any impact the cyber attack may have had." The Federal Court can impose a civil penalty of up to $2.22 million for each contravention of the Act, and the OAIC is alleging one breach for each of the approximately 9.5 million individuals impacted. Imposing the maximum penalty for all victims would be impossible, since Optus' Singapore-listed owner Singtel has a total market value of about $101.5 billion. The breach highlighted some of the risks associated with external-facing websites, particularly when they interacted with internal databases holding personal information, Australian Privacy Commissioner Carly Kind said. "All organisations holding personal information need to ensure they have strong data governance and security practices," she said. "These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit."
ABC News
3 days ago
- Business
- ABC News
Optus sued by privacy regulator in warning to Australian corporates to protect data or face fines
Optus could face another hefty penalty, as the privacy watchdog sues the telco over the 2022 cyber attack that exposed the data of around 9.5 million Australians. The Office of the Australian Information Commissioner (OAIC) has filed civil penalty proceedings in the Federal Court, alleging Optus breached privacy laws by failing to properly protect consumers' data. The OAIC has alleged that for a nearly three-year period until September 2022, when the breach occurred as the result of a cyber attack, Optus "seriously interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure" under the Privacy Act. The regulator has claimed Optus failed to manage cybersecurity and information security adequately for an organisation of its size, for the volume of personal information it held and for the company's "risk profile". "The commencement of these proceedings confirms that the [Office of the Australian Information Commissioner] will take the action necessary to uphold the rights of the Australian community," one of the commissioners, Elizabeth Tydd, said. "Organisations hold personal information within legal requirements and based upon trust. "The Australian community should have confidence that organisations will act accordingly, and if they don't, the OAIC as regulator will act to secure those rights." An Optus spokesperson said the company was reviewing the matters raised in the proceedings and will respond to the claims "in due course". "Optus apologises again to our customers and the broader community that the 2022 cyber-attack occurred," the statement to ABC News read. The telco said it had been "working hard" to minimise the impact of the 2022 incident and "will continue to invest in the security of our customers' information, our systems, and our cyber defence capabilities". The theoretical fine the telco may face could reach into trillions of dollars, as the Federal Court can impose a civil penalty of up to $2.22 million for each contravention under the Privacy Act. The OAIC said it was alleging one contravention for "each of the 9.5 million individuals whose privacy it alleges Optus seriously interfered with", but the regulator noted any penalty was a matter for the court to determine. A body representing communications consumers, ACCAN, welcomed the action by the OAIC and said it sent a "clear message" to the sector, with "trillions at stake for Optus". "We have a long way to go to remedy the sorts of practices and behaviours we have seen from Optus over the past few years," ACCAN chief executive Carol Bennett said. Optus has already faced legal proceedings over the high-profile attack and last year said it intended to defend claims by the Australian Communications and Media Authority (ACMA) that it failed to protect confidential details in its database. In June, Optus agreed to pay a $100 million penalty after it admitted to inappropriate sales practices and misconduct, following legal proceedings brought by the consumer watchdog in an unrelated matter. Jamieson O'Reilly, the founder of a firm that companies pay to find IT vulnerabilities, welcomed the court action over one of Australia's most significant data breaches. "I do believe these civil proceedings are a net positive to the cyber security of Australian companies. "Many times, historically, private companies have effectively gotten away with exposing their customer information," he told ABC News. Privacy and data security have remained in the headlines following the 2022 Optus cyber attack, with Australian and global corporates continuing to face hacks and breaches. In recent months, the information of 5.7 million Qantas customers was compromised in a cyber attack on the airline's systems. Mr O'Reilly, the founder of Dvuln, said civil penalties did act as a deterrent and encouraged companies to take cybersecurity seriously. "Traditionally, security leaders in organisations struggle to get money from the board to invest in cybersecurity, this allows them to have something to go to the board and say if we don't invest in cybersecurity, this is what happens." Mr O'Reilly said consumers could also help hold companies to account by taking their business elsewhere. "After the shock and awe of the event, if customers don't have the time or effort to pursue legal and civil action, or leave the company, that also sends a message to the board that they don't have to take it [cybersecurity] as seriously"
