Slater and Gordon commence Optus Data Breach Class Action

April 21, 2023 |

It is hardly surprising that a class action against Optus would be issued. Yesterday Slater and Gordon made that announcement. This follows from the Medibank Data Breach Class Action which is being funded by Omni Bridgeway. Baker and McKenzie is acting for the claimants. Maurice Blackburn, Centennial Lawyers and Bannister Legal opted for the Privacy Act route making a complaint to the Information Commissioner. The Commission has advised those firms that it won’t be investigating the complaints because the class action on foot would provide the appropriate remedies. It is not surprising that Andrew Watson of Maurice Blackburn is not best pleased given the Commissioner is continuing to investigate the Optus breach. He was reported as saying “They’re proposing to conduct an investigation as to whether there’s a breach, but not deal with compensation. If they’re not going to do it on this one, what are they there for?”. A fair point. At the moment to seek remedies through the Privacy Act is do deal with incoherent processes, given to exercises of discretion by the Commissioner that could bring matters to a sudden stop. I could have said that because I practice in this area. Maurice Blackburn clearly does not. It was always better to go the class action route in the Federal Court. One can only hope that the review of the Review of the Privacy Act and the resulting legislation will provide clearer and more coherent enforcement and compensatory process.

The Slater and Gordon statement provides:

Class action commenced

Slater and Gordon filed a group proceeding (class action) in the Federal Court of Australia against Optus on 21 April 2023. The class action is brought by two lead applicants, a school teacher and a government employee, on behalf of Optus customers whose personal information was compromised in the Optus data breach announced on 22 September 2022. Current and former Optus customers have both been affected.

Eligible group members do not need to take any steps at this stage to participate in the class action.

If you would like to stay updated on the progress of the class action, you can register your interest below.?All personal information collected by Slater and Gordon through the registration process will be kept private.?We will only use or disclose your information for the purpose of legal proceedings or as required by the Court or by law.

Background

On 22 September 2022, Optus announced that a cyberattack had compromised its systems and resulted in unlawful access to the personal information of millions of current and former customers.

Optus advised its customers that the following types of identity documents were disclosed:

    • Driver licence numbers
    • Proof of age/proof of identity documents
    • Australian and international passport details
    • Medicare card numbers
    • Invalid/incomplete ID document numbers (relating to the above listed forms of ID)

Approximately 9.8 million former and current Optus customers were affected, including approximately 10,000 customers whose details were exposed on the dark web.

More information about support from Optus can be found here.

Eligibility

All former and current Optus customers whose information was compromised in the September 2022 data breach are eligible to participate in the class action.

Most affected customers were notified by Optus in the weeks following the data breach that their information had been impacted.

If you think that you have not been notified by Optus as your contact details may have changed, we encourage you to request confirmation from Optus.

Further information on obtaining your personal information from Optus can be found here.

Allegations

The class action makes allegations against a number of entities in the Optus Group (Optus), including:

    • Singtel Optus Pty Ltd (Singtel Optus)
    • Optus Mobile Pty Ltd (Optus Mobile)
    • Optus Internet Pty Ltd (Optus Internet)
    • Optus Networks Pty Ltd (Optus Networks)
    • Optus ADSL Pty Ltd (Optus ADSL)
    • Optus Satellite Pty Ltd (Optus Satellite)

It is alleged that Optus failed to protect, or take reasonable steps to protect, the personal information of its current and former customers.

Accordingly, the following is alleged:

    • Optus breached its contract with Optus customers;
    • Optus breached the Australian Privacy Principles under the Privacy Act 1988 (Cth);
    • Optus breached its duty of care to Optus customers; and
    • Optus breached Australian Consumer Law.

Funding arrangements

A reputable litigation funder has agreed to fund the legal costs of the class action. In exchange, the litigation funder will be entitled to a commission in the event of a successful outcome – the size of the commission will be determined by the Court.

Participating in the Optus Class Action will not expose you to any out-of-pocket costs.

If the class action is not successful, the litigation funder will incur costs in relation to Optus’s legal fees. Group members will not bear any financial risk as a result of participating in the class action.

The Court has oversight of legal fees charged to group members, and will consider whether proposed fees charged in the class action are reasonable and proportionate.

The story has received significant coverage with the ABC provided Optus data breach class action launched for millions of Australians caught up in cyber attack, the Sydney Morning Herald with Class action lawsuit launched against Optus after devastating hack, and the Australian with Slater and Gordon class action includes more than 100,000 past and present Optus customers.

The Australian article provides:

More than 100,000 former and existing Optus customers are part of a class action launched by legal firm Slater and Gordon accusing the telco of breaching privacy, telecommunication and consumer laws and internal policies following a massive data hack.

Optus on September 22 revealed the personal information of up to 10 million of its current and former customers had been compromised in a cyber attack.

Data including customer names, dates of birth, phone numbers and email addresses were accessed by, and/or disclosed to, an unknown number of unauthorised persons. Some customers’ addresses, ID document numbers such as driver’s licences, Medicare cards and passport numbers had also been compromised.

The personal information of more than 10,000 customers was subsequently published online when ransom demands were made.

The class action claims Optus allegedly failed to protect or take reasonable steps to protect customer data from unauthorised access or disclosure, failed to destroy or de-identify former customers’ personal information, and failed to ensure legitimate access to the data.

“Optus has also been accused in the class action of breaching contractual obligations to customers along with its duty of care to ensure customers did not suffer harm arising from the unauthorised access or disclosure of their personal information,” Slater and Gordon said in its statement.

Among those seeking redressal is an unidentified domestic violence victim, who has spent her counselling funds pool on increasing security measures around the house, including installing video cameras and extra locks on doors and windows.

A stalking victim is fearful after “her life has genuinely been put in danger by the data breach,” the law firm said.

 

The exhaustive list also includes a retired police offer who is concerned criminals have got access to his home address, while a former Optus customer who previously had his identity stolen is now suffering “severe anxiety” over the repeat experience.

“I had to make a lot of calls and do a lot of running around in the aftermath of this breach to make sure my bank account and other accounts hadn’t been compromised, and I noticed I was being targeted by phishing and other scams a lot more frequently,” one victim told Slater and Gordon.

Another said: “it was incredibly stressful trying to get answers from Optus about what information had been exposed and then taking action to rectify the damage so I could try to stop anything else from happening.”

Compensation is being sought for losses the data breach caused, including time and money spent replacing identity documents in addition to other measures to protect their privacy and prevent the increased likelihood of them falling victim to scams and identity theft. Damages for non-economic losses such as distress, frustration and disappointment are also being sought.

Slater and Gordon’s Ben Hardwick said it was “an extremely serious privacy breach both in terms of the number of people affected and the nature of the information that was compromised”.

“Very real risks were created by the disclosure of this private information that Optus customers had every right to believe was securely protected by their telecommunications and internet provider,” Mr Hardwick said

The real problem in all of this is that I do not, currently at least, hold a brief in either class action.  What a waste!

Leave a Reply





Verified by MonsterInsights