Peter A Clarke

It doesn’t rain for Optus. It poors. Optus announced on 22 September 2022 that it suffered a major data breach. On 21 April 2023 Slate and Gordon filed a class action in the Federal Court of Australia with PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS. It is scheduled to have a case management hearing on 15 August 2025. In June 2025 Optus paid $100 million penalty for unconscionable conduct.

The Australian Information Commissioner has announced that it has filed civil penalty proceedings against Singtel Optus Limited and Optus Systems Pty Ltd arising out of the 2022 data breach. The reference is AUSTRALIAN INFORMATION COMMISSIONER v SINGTEL OPTUS PTY LIMITED (ACN 052 833 208) & ANOR with Court number VID 1019/2025. The Information Commissioner is represented by the Australian Government Solicitor. Previously it was represented by HWL Ebsworth. A concise statement and Originating Application were filed last Friday, 8 August 2025. The First Case Management Hearing will be head before Justice Beach this Friday, 15 August 2025. That day will be a very busy day for Optus.

A key issue is the reasonableness of Its cybersecurity having regard to its size and the nature of the data it possessed.

The statement from the Information Commissioner provides:

The Australian Information Commissioner (AIC) has filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus), following an investigation in relation to the data breach made public by Optus on 22 September 2022.

The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web.

The AIC alleges that from on or around 17 October 2019 to 20 September 2022, Optus seriously interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, in breach of the Privacy Act 1988.

The AIC alleges that Optus failed to adequately manage cybersecurity and information security risk in a manner commensurate with the nature and volume of personal information that Optus held, the size of Optus, and the risk profile of Optus.

“The commencement of these proceedings confirms that the OAIC will take the action necessary to uphold the rights of the Australian community,” said Australian Information Commissioner Elizabeth Tydd.

“Organisations hold personal information within legal requirements and based upon trust. The Australian community should have confidence that organisations will act accordingly, and if they don’t the OAIC as regulator will act to secure those rights.”

Australian Privacy Commissioner Carly Kind said, “the Optus data breach highlights some of the risks associated with external-facing websites and domains, particularly when these interact with internal databases holding personal information, as well as the risks around using third-party providers.

“All organisations holding personal information need to ensure they have strong data governance and security practices. These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit.”

“Effective stewardship of individuals’ personal information is critical, and businesses need to be extremely vigilant to the significant threats and risks in today’s cyber landscape.”

Background

In September 2022 Optus was the subject of a cyberattack. A threat actor accessed the personal information of millions of current and former Optus customers. The personal information held by Optus included:

• • names, dates of birth, home addresses, phone numbers and email addresses
  • government related identifiers, including passport numbers, driver’s licence numbers, Medicare card numbers, birth certificate information, marriage certificate information, and armed forces, defence force and police identification information.

The Office of the Australian Information Commissioner commenced an investigation into Optus’ privacy practices following this data breach. The investigation focused on how Optus managed and secured personal information and whether the steps it took were reasonable in the circumstances to protect personal information from misuse, unauthorised access and/or disclosure.

The Australian Information Commissioner alleges Optus did not take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the personal information it held, and the risk of harm for an individual in the case of a breach.

Federal Court civil penalties

The Australian Information Commissioner may apply to the Federal Court for a civil penalty order where an entity is alleged to have engaged in serious or repeated interferences with privacy in contravention of section 13G of the Privacy Act.

The Federal Court can impose a civil penalty of up to $2.22 million for each contravention. The Australian Information Commissioner alleges one contravention for each of the 9.5 million individuals whose privacy it alleges Optus seriously interfered with.

Increased civil penalties of up to $50 million came into effect in December 2022, although they do not apply to this case, as the alleged contraventions occurred from 17 October 2019 to 20 September 2022.  Whether a civil penalty order is made, and the amount, are matters before the court.