The Australian Communications and Media Authority said it has filed proceedings against Optus in a federal court as the company failed to protect sensitive customer data during a data breach in September 2022 that affected close to 10 million people.
Optus suffered a major customer data breach in 2022 that gave malicious actors access to about 9.8 million former and current customers' sensitive information, including names, birthdates, phone numbers, email addresses and, for a subset of customers, addresses and ID document numbers, such as driver's license or passport numbers.
The latest filing is the second recent case the agency has brought against Optus.
In March, Optus paid a penalty of AU$1.5 million to the ACMA after the watchdog's investigation determined the company failed to upload the information of close to 200,000 customers to the Integrated Public Number Database in violation of the Telecommunications Act.
The database helps critical services warn citizens about disasters such as floods and bush fires and manages the Triple Zero service to share citizens' location information with the police, ambulance and fire brigade in an emergency.
The Office of the Australian Information Commissioner is also investigating the 2022 data security incident, and several Australian law firms have proposed class action lawsuits against Optus on behalf of millions of customers whose data was accessed and posted on the dark web by hackers.
The OAIC is also investigating whether Optus took reasonable steps to comply with the Australian Privacy Principles during and in the aftermath of the security incident.
Two months after the breach, the Australian Parliament passed amendments to the Privacy Act that empower the OAIC to issue fines of up to AU$50 million or 30% of a company's adjusted turnover in the relevant period, whichever is greater, for serious or repeated privacy breaches.
The government in its 2022 federal budget gave the OAIC funding of AU$5.5 million over two years to help investigate the Optus data breach incident.
In addition to the federal investigation and the ACMA lawsuit, Optus faces grueling legal battles ahead, as the Federal Court in November ruled against its motion to maintain the confidentiality of a Deloitte-prepared forensic report about the data security incident.
The ruling gives class action lawyers access to forensic details about the breach that they can use to strengthen their case.
This Cyber News was published on www.bankinfosecurity.com. Publication date: Mon, 27 May 2024 13:43:04 +0000