Australian Privateness Regulator Sues Optus Over 2022 Hack

The Australian privateness watchdog sued Optus, saying the nation’s second largest telecom failed for years to guard delicate buyer information breached throughout a September 2022 incident affecting almost 10 million folks.

See Additionally: OnDemand | Shield and Govern Delicate Information

The Workplace of the Australian Data Commissioner alleges the telecom – a totally owned subsidiary of Singapore-based Singtel – did not take affordable steps to guard private info within the three yr interval main as much as the breach.

“Companies must be extraordinarily vigilant to the numerous threats and dangers in right this moment’s cyber panorama,” stated Australian Data Commissioner Elizabeth Tydd. The workplace initiated an investigation into the incident in October 2022.

The breach, one of many worst in Australia thus far, resulted within the theft of knowledge together with electronic mail addresses, dates of beginning and cellphone numbers. In keeping with the Optus tally, the breach included the lively authorities IDs of 1.2 million clients and 17,000 legitimate Medicare ID numbers.

The regulator stated Optus faces a possible high quality of as much as $21.9 trillion Australian {dollars}, ought to the courtroom levy the utmost penalty of AU$2.22 million for every of the 9.5 million people whose privateness regulators say Optus violated. That whole determine would quantity to almost eight occasions Australia’s gross home product.

A hacker going by “optusdata” claimed duty for the hack and demanded $1 million from Optus to not promote the information on a prison discussion board. The hacker launched information on 10,000 clients, information rapidly seized on by cybercriminals to extort Australians into paying ransom. Optusdata in the end determined to not undergo with the risk to launch the information, asserting a change of coronary heart. “Too many eyes. We won’t sale information to anybody. We won’t if we even need to: personally deleted information from drive (solely copy),” the hacker wrote 4 days after posting the extortion demand.

Optusdata informed Data Safety Media Group on the time that the hack wasn’t troublesome, that she or he had discovered an open database API not protected by authentication (see: Optus Below $1 Million Extortion Menace in Information Breach).

The Australian Communications and Media Authority is a separate lawsuit in opposition to Optus launched in June 2024 alleged a collection of errors led the API to being unsecured. The regulator stated a coding error made in 2018 withdrew entry management on the API. Optus got here shut in August 2021 to fixing the oversight after it detected an identical error, nevertheless it ignored the API, regulators stated. The API “was permitted to sit down dormant and susceptible to assault for 2 years and was not decommissioned regardless of the shortage of any want for it,” they informed an Australian federal courtroom in still-active litigation.

An Optus spokesperson responded to the lawsuit by telling Australian media that the telecom once more apologized for the incident however that it would not remark additional on lively litigation.

The incident was a part of an obvious wave of cyberattacks buffeting the nation throughout 2022. Australia’s largest supplier of personal medical insurance, Medibank, underwent an October 2022 assault from a Russia-based cybercriminal group that dumped onto the darkweb what it stated was 5 gigabytes of stolen private information. The Australian Data Commissioner additionally sued Medibank in June 2024.

The back-to-back incidents led a prime Australian official in December 2022 to vow the nation would grow to be “the world’s most cyber-secure nation by 2030” (see: Australia Goals to Be World’s ‘Most Cyber-Safe’ Nation).