Two Australian Regulators Investigating Optus BreachTelecom Firm Could Face Millions in Fines From Probe Into Privacy, Data Retention
Two Australian regulatory agencies are investigating the telecommunications company behind the country's second-largest data breach, affecting approximately 10 million people. Optus could face millions of dollars in fines if the probes uncover compliance lapses.
The two organizations, the Office of the Australian Information Commissioner and the Australian Communications and Media Authority, are focusing on two major questions: Did Optus take reasonable steps to protect customers' personal information from theft? Did the company follow proper practices for retaining and disposing of personal information?
The Optus breach, discovered Sept. 21, is also the subject of a criminal investigation. Police are looking for the hacker who posted samples of stolen Optus data online along with a US$1 million extortion demand. The samples include data fields for name, email address, physical address, passport number, driver's license number, birthdate, home ownership and more. The data covers current and former Optus customers and, according to the attacker, the stolen trove includes up to 11.2 million sensitive customer records.
If the OAIC privacy commissioner finds "serious and/or repeated interferences with privacy," Optus could face fines up to AU$2.2 million for each violation of the Privacy Act of 1988. Retaining data longer than needed, such as information about past customers, will be examined, says Nerida O'Loughlin, ACMA chair and agency head.
"All telcos have obligations regarding how they acquire, retain, protect and dispose of personal information of their customers," O'Loughlin says. "A key focus for the ACMA will be Optus' compliance with these obligations."
The Australian information commissioner requires businesses to implement best practices aligned with the law's 13 Australian Privacy Principles, which provide standards for collecting and storing of personal data. "Only collect what is reasonably necessary," cautions Angelene Falk, Australian information and privacy commissioner.
The privacy commissioner will also determine if the company took reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification or disclosure.
Both agencies declined further comment until the investigations are complete but said the results will be released publicly. The Australian Communications and Media Authority, which regulates telecommunication companies, says it will coordinate with other agencies "to ensure effective information sharing across the respective jurisdictional investigations."
Optus also launched its own investigation into the data breach incident. Optus CEO Kelly Bayer Rosmarin on Oct. 3 announced the company had hired the Deloitte consulting firm to lead the forensic review of the cyberattack and the circumstances surrounding it.
"This review will help ensure we understand how it occurred and how we can prevent it from occurring again," Rosmarin said. "It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists."
'Material Spike' in Optus-Themed Scams
A number of public service agencies have alerted Optus customers to be on the lookout for scams. Multiple bad actors already have sent out Optus breach-themed phishing and SMS messages.
During a review of the Australian Competition and Consumer Commission annual report to the House of Representatives on Tuesday, members quizzed ACCC Chair Gina Cass-Gottlieb about the group's response to Optus breach-themed scams through its Scamwatch service.
Consumers reported about 600 scams related to Optus between Sept. 22 and Oct. 4, according to Cass-Gottlieb, who agreed with Labor MP Daniel Mulino that the Optus breach had resulted in a "material spike" in complaints.
"Some [customers] have reported being contacted by parties who say they're Optus or parties who say they are Experian - the credit reporting agency assigned to provide assistance to customers - and in some cases that say they're MyGov - government employees," she told the House of Representatives members.