Optus faces an unknown bill for compensation for a privacy breach that came to light in 2019, that led to the erroneous publication of 51,000 customers’ unlisted phone numbers in the White Pages directory.
An Office of the Australian Information Commissioner (OAIC) determination ends a lengthy and complex investigation into the privacy breach which took place after other, similar cases dating back to 2013.
Privacy commissioner Carly Kind laid out a string of causes that contributed to the breach in the OAIC determination, including deficiencies and errors across people, process and technology domains over several years.
Customers who ported (moved) their phone numbers to Optus were the customer cohort impacted the privacy breach, which occurred between 2015 and 2019, and which the OAIC began investigating in 2021.
When those customers shifted to Optus, they were asked whether they wanted their number listed or unlisted in the White Pages.
However, Optus never passed that preference on to Telstra, which is legally obliged to arrange publication of the White Pages.
Telstra, in turn, would pass the unlisted number preference to Thryv (formerly Sensis), the company printing the directory.
Optus argued that for ported numbers, the customer’s former carrier would have already arranged for the number to be delisted, and so the arrangement should continue. That proved to be wrong in 41,278 cases.
Optus also argued it did not legally hold the personal information of those porting customers, since the original listing had been created by their former carriers, and disclosed to Telstra and Thryv.
Commissioner Kind rejected both arguments.
Once a customer had ported to Optus, she found, the telco was the only entity that could action an unlist request.
It therefore held the delisting information within the meaning of the Privacy Act.
Optus also argued that the errors were relatively small in scale: some 51,000 against approximately 912,500 directory change requests transmitted in 2018 alone.
Kind dismissed that framing, finding it failed to account for the serious potential impact on each individual affected whose unlisted number had been published.
Optus made attempts to partner with Thryv to reconcile whether or not the status of unlisted numbers was correct in each’s systems. However, the OAIC suggested Optus could have done more on its end.
Kind found that Optus had breached the Australian Privacy Principle (APP) 11.1.
As a next step, Kind will apply the determination findings to a representative complaint by Maurice Blackburn Lawyers and will consider “reasonable and proportionate compensation for affected class members”.
The White Pages is still being printed as a physical directory, but as of November 2025 the former book no longer carries residential listings.
