Australia’s privacy and communications regulators have launched coordinated investigations into the Optus data breach that saw the personal data of 9.8 million Australians compromised last month.
The inquiries will consider Optus’s obligations as a telco and its adherence to privacy law, including its potential failure to protect the data and “whether the information collected and retained was necessary to carry out their business”.
Serious contraventions could see Optus forced into undertakings and facing civil penalties.
In September, Optus revealed a cyberattack had resulted in the disclosure of personal data belonging to current and former customers, including driver’s licence, passport and medicare numbers.
The incident has put millions of customers at risk of fraud and identity theft, forcing many to obtain new identity documents. Optus has apologised, will fund the cost of replacement documents and is offering some affected customers free credit monitoring and fraud protection services.
The telco is also facing potential class actions, while the government has promised regulatory and possible legislative changes in response to the breach.
The Office of the Australian Information Commissioner (OAIC) is also considering seeking civil penalties if it finds serious and/or repeated infringements with privacy in its own investigation launched on Tuesday.
The privacy watchdog will investigate the breach with a focus on the personal information handling practices of Optus companies Singtel Optus Pty Ltd, Optus Mobile Pty Ltd and Optus Internet Pty Ltd.
“The OAIC’s investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business,” an OAIC statement said.
“The investigation will also consider whether the Optus companies took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy principles (APPs), including enabling them to deal with related inquiries or complaints.”
If privacy breaches are found, Information Commissioner Angelene Falk can make a determination that requires Optus to improve its practices and redress loss or damage. A serious breach could warrant Ms Falk seeking civil penalties through the Federal Court of up to $2.2 million for each contravention.
Cybersecurity minister Clare O’Neil has said around 2.8 million Optus customers have had “significant amounts of personal data” taken.
The OAIC investigation will take place alongside another investigation by the Australian Communications and Media Authority (ACMA).
As the telco regulator, ACMA will investigate the breach and Singtel Optus Pty Limited’s obligations as a telecommunications service provider.
These include obligations “relating to the acquisition, authentication, retention, disposal and protection of personal information, and requirements to provide fraud mitigation protections”, ACMA said in a separate statement on Tuesday.
The ACMA investigation “will take some time” and be made public once completed. The department of Home Affairs will also assist in information sharing between the two regulators’ investigations.
“All telcos have obligations regarding how they acquire, retain, protect and dispose of the personal information of their customers. A key focus for the ACMA will be Optus’ compliance with these obligations,” ACMA chair Nerida O’Loughlin said.
“We look forward to full cooperation from Optus in this investigation.”
Australian Information and Privacy Commissioner Angelene Falk said corporate Australia needed to take heed of the Optus breach.
“If they have not done so already, I urge all organisations to review their personal information handling practices and data breach response plans to ensure that information is held securely, and that in the event of a data breach they can rapidly notify individuals so those affected can take steps to limit the risk of harm from their personal information being accessed,” she said.
“And collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk. Only collect what is reasonably necessary.”
