What do I need to know about the Optus privacy breach?

What do I need to know about the Optus privacy breach?

In September 2022, one of Australia’s largest companies suffered a massive privacy breach, exposing the personal information of millions of customers to potential misuse

In late September 2022, a cyber attack on Optus exposed the personal information of approximately 9.8 million of its current and past customers. The attacker claimed to hold files of 10,000 customer records and threatened to release this data unless Optus paid them $1.5 million. 

The customer records include personal information such as full names, dates of birth, phone numbers, addresses and even identification documents including passports, drivers licences and Medicare card numbers. 

So what do you need to know about the Optus privacy breach, and how will it affect you and your business?

What is personal information?

The federal Privacy Act defines Personal information as:

“information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. Whether the information or opinion is true or not; and
  2. Whether the information or opinion is recorded in a material form or not.”

Why would someone steal personal information?

The stolen data contains personal identity information, which can be sold or shared for various malicious purposes. The Australian Federal Police are aware of reports of cybercriminals selling data via the dark web or online forums for persons to commit identify theft. Data may also be used by cybercriminals to gain the trust of the person whose personal information they have stolen to conduct scams or make phishing attempts. 

Privacy laws in Australia

The recent cyberattack on Optus serves as a reminder to service providers and consumers to be aware of the laws governing organisations like telecommunications providers, as well as those protecting customers. The Privacy Act applies to organisations and imposes certain obligations on those organisations to implement measures to protect and respond to unauthorised access, disclosure and loss of personal information. 

The Privacy Act broadly defines “organisation” to include a number of different entity types with an annual turnover of more than $3 million, as well as specific small businesses. Those organisations are required to notify the Office of the Australian Information Commissioner (OAIC) if they are victim of a privacy breach.

Other organisations that fall outside the ambit of the Privacy Act should also remain vigilant and mindful of how they handle, store and protect their customers’ personal information. 

What are the data retention requirements?

Even if you are no longer a customer of a particular provider (like some of the Optus customers) the Telecommunications (Interception and Access) Act requires telecommunications service providers to keep certain customer information and documents for 2 years after that customer’s account is closed. The purpose of these retention obligations is for law enforcement and to assist in investigations, noting the information stored might include the date and time an email was sent, but not the content of your email.

What are the potential law reforms?

In response to the Optus breach, it has been reported that the Federal Government may toughen privacy laws. In particular, the Government has indicated it may introduce significant reforms to:

  • Increase penalties for data breaches under the Privacy Act; and
  • Allow service providers to notify banks of a data breach more easily

It is critical that companies and other organisations adopt effective and up-to-date measures and privacy protection practices that comply with any legislative changes.

Ensure your business complies with its data protection and privacy requirements

The recent breach is another reminder to make sure your business has in place procedures, facilities, agreements, documents, privacy policies, disclaimers and security measures to protect:

  • Your business from potential breaches of the Privacy Act or equivalent State legislation; and
  • Your clients’ and customers’ personal information

Protect your data as an individual

The recent data breach is also an important reminder to individuals to take steps to protect their personal information. Individuals can protect their personal information, including by:

  • Changing passwords regularly
  • Requiring multifactor authentication to access various accounts
  • Using effective passwords
  • Placing limits on the amount which may be withdrawn from your bank account

Following the Optus cyberattack, the Australian Competition and Consumer Commission (ACCC) advised Optus customers to do the following things, which are useful to note if you think you or your business has been subject of a cyber security attack or unusual activity:

  • Monitor their device for unusual or suspicious activity
  • Change account passwords 
  • Check any bank accounts for unusual purchases

Legal advice about the Optus privacy breach

We can help you with advice about what privacy laws apply to your entity or business. We can also assist you with drafting agreements and policies to ensure compliance. 

Contact us today to learn more about how privacy breaches may impact you and your business. 

 


 

DISCLAIMER: We accept no responsibility for any action taken after reading this article. It is intended as a guide only and is not a substitute for the expert legal advice you can receive from marshalls+dent+wilmoth and other relevant experts.