Australian Privateness Regulator Sues Optus Over 2022 Hack

The Australian privateness watchdog sued Optus, saying the nation’s second largest telecom failed for years to guard delicate buyer information breached throughout a September 2022 incident affecting almost 10 million individuals.

See Additionally: OnDemand | Defend and Govern Delicate Information

The Workplace of the Australian Data Commissioner alleges the telecom – a totally owned subsidiary of Singapore-based Singtel – didn’t take affordable steps to guard private data within the three 12 months interval main as much as the breach.

“Companies should be extraordinarily vigilant to the numerous threats and dangers in at present’s cyber panorama,” mentioned Australian Data Commissioner Elizabeth Tydd. The workplace initiated an investigation into the incident in October 2022.

The breach, one of many worst in Australia up to now, resulted within the theft of knowledge together with e mail addresses, dates of beginning and telephone numbers. Based on the Optus tally, the breach included the energetic authorities IDs of 1.2 million prospects and 17,000 legitimate Medicare ID numbers.

The regulator mentioned Optus faces a possible advantageous of as much as $21.9 trillion Australian {dollars}, ought to the courtroom levy the utmost penalty of AU$2.22 million for every of the 9.5 million people whose privateness regulators say Optus violated. That whole determine would quantity to just about eight occasions Australia’s gross home product.

A hacker going by “optusdata” claimed accountability for the hack and demanded $1 million from Optus to not promote the info on a felony discussion board. The hacker launched information on 10,000 prospects, information shortly seized on by cybercriminals to extort Australians into paying ransom. Optusdata finally determined to not undergo with the menace to launch the info, asserting a change of coronary heart. “Too many eyes. We won’t sale information to anybody. We won’t if we even wish to: personally deleted information from drive (solely copy),” the hacker wrote 4 days after posting the extortion demand.

Optusdata instructed Data Safety Media Group on the time that the hack wasn’t tough, that she or he had discovered an open database API not protected by authentication (see: Optus Underneath $1 Million Extortion Risk in Information Breach).

The Australian Communications and Media Authority is a separate lawsuit in opposition to Optus launched in June 2024 alleged a collection of errors led the API to being unsecured. The regulator mentioned a coding error made in 2018 withdrew entry management on the API. Optus got here shut in August 2021 to fixing the oversight after it detected an identical error, however it missed the API, regulators mentioned. The API “was permitted to take a seat dormant and weak to assault for 2 years and was not decommissioned regardless of the shortage of any want for it,” they instructed an Australian federal courtroom in still-active litigation.

An Optus spokesperson responded to the lawsuit by telling Australian media that the telecom once more apologized for the incident however that it would not remark additional on energetic litigation.

The incident was a part of an obvious wave of cyberattacks buffeting the nation throughout 2022. Australia’s largest supplier of personal medical health insurance, Medibank, underwent an October 2022 assault from a Russia-based cybercriminal group that dumped onto the darkweb what it mentioned was 5 gigabytes of stolen private information. The Australian Data Commissioner additionally sued Medibank in June 2024.

The back-to-back incidents led a high Australian official in December 2022 to vow the nation would grow to be “the world’s most cyber-secure nation by 2030” (see: Australia Goals to Be World’s ‘Most Cyber-Safe’ Nation).