About 160,000 members join the Optus data breach class action

December 11, 2024 |

The Australian reports in Class action against Optus after 2022 data breach registers 160,000 members that about 160,000 members have joined in the class action against Optus resulting from the 2022 data breach. This report is based on submissions made at a case management hearing before Justice Beach today. 

The class action is brought in proceeding PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS (number VID256/2023).

The article provides:

About 160,000 people whose passport and Medicare numbers were leaked online after Optus was hacked in 2022 have registered to partake in a class action against the telco.

Appearing for class action behemoth Slater & Gordon, barrister William Edwards, KC, told the Federal Court on Wednesday the estimated number of members to join the action, which alleges Optus failed to protect the personal information of 9.8 million of its current and former customers whose personal data was leaked online after a cyber attack.

The court was told Optus and Slater & Gordon were still trying to settle the case by mediation, with a hearing possible if that failed.

In court, the parties argued over how much security Slater & Gordon should give Optus since it insisted on a secretive regime to keep documents exchanged in the case away from the public.

Optus announced a cyberattack breached its systems which exposed personal information of millions of current and former customers, including about 10,000 customers whose details were leaked on the dark web.

Passport numbers, driver licence numbers, identity documents and Medicare card numbers were among the sensitive pieces of information leaked online.

Optus was heavily criticised and its then chief Kelly Bayer Rosmarin quit the telco in the wake of the attack, after initially claiming the company would release the findings of a Deloitte investigation into what happened but reneging on the promise.

Slater & Gordon have now received the report, but it is still suppressed from the public.

A separate action has been filed against the telco by the Australian Communications and Media Authority, alleging a coding error introduced to Optus’ public domain meant it was not “adequately” protected.

According to a redacted amended statement of claim, seen by The Australian, Optus was allegedly aware in August 2021 of vulnerabilities to the domain but not the coding error.

According to ACMA’s pleadings, at no time between September 2018 and September 2020 did Optus identify the coding error.

It said due to the coding error, a cyber attacker was able to obtain the personal information.

“The cyber attack was not a highly sophisticated cyber attack and did not require advanced skills,” the pleading stated.

In its defence, Optus said “the cyber-attacker commenced the cyber-attack with a high degree of knowledge of Optus’ systems”.

“Optus Mobile was the target of a criminal act by the Cyber-attacker that deliberately targeted Optus’ API interface,” the defence document said.

Optus claimed the cyber attacker avoided detection alerts.

ACMA is seeking pecuniary penalties against Optus.

After a very hard fight in June 2024 Optus was ordered to hand over the cyber attack report. The Australian reported this with ‘Win for transparency’: Optus hands up 2022 cyber attack report.   The issue became one of whether the report was covered by legal professional privilege or was a discoverable document.  The article provides:

Optus has finally handed over to a law firm pursuing a class action against it, a hard copy of a Deloitte report into a disastrous cyber attack that affected millions of customers.

Slater and Gordon brought the action on behalf of Optus customers whose data was leaked on to the dark web as a result of the incident, and class actions practice group leader Ben Hardwick said Optus has been fighting “tooth and nail to stop this report getting out for more than a year”.

“While the Deloitte report has been provided to us on a confidential basis for the purpose of the case only, we expect that, as the matter progresses, Optus customers will discover more information about the way this telco has treated their personal information,” he said.

“This is a great win for transparency. Optus and other big tech companies are quickly learning that they can’t get away with showing disregard for our personal information.”

On Thursday, the Federal Court gave Optus 24 hours to hand over a hard copy of its Deloitte report into the 2022 cyber attack.

Justice Jonathan Beach released fresh orders in the class action matter on Thursday that required Optus to share the report with the law firm.

“Within 24 hours of the date of these orders, the respondents discover and produce to the applicants for inspection a hard copy of the report prepared for one or more of the Optus respondents by Deloitte Touche Tohmatsu (Deloitte) concerning the data breach which occurred in mid September 2022 (Deloitte report), which is to be subject to the confidentiality obligations,” Justice Beach said.

The report will be subjected to a confidentiality agreement made between Optus and Slater and Gordon. Justice Beach has ordered the parties to attempt to agree on a regimen to manage documents in the court case.

As well, documents prepared by Optus for the purpose of giving instructions to Deloitte for preparing the report will have to be identified.

Optus twice failed to have the Deloitte kept out of the court case, and two judgments ruled that Optus failed to prove the dominant purpose of the report was for legal advice.

Up to 9.5 million customers’ private and confidential information was released as a result of a cyber attack between September 17 and 20, 2022. The breach is now also the subject of two other inquiries being conducted by the Office of the Australian Information Commissioner and the Australian Communications and Media Authority.

Separately, this week it was revealed Optus would, on August 5, increase the price of some of its mobile plans for the first time in two years by about 5 per cent.

Australia’s second-largest telco said the price increase came at a time it was investing in its network to “boost capacity, speed and reliability of 4G, whilst rolling out our award-winning 5G network to even more Australians”.

 

 

Leave a Reply





Verified by MonsterInsights