Optus has sought to rein in speculation about the size of any penalty it might face from a Federal Court action relating to its 2022 data breach.
In a statement to the SGX [pdf] on Friday, Optus also indicated it would dispute the number of potential contraventions of data protection laws that it is accused of making.
The Australian Communications and Media Authority (ACMA) filed a lawsuit against Optus last month, alleging the telco did not meet its obligations to “protect the confidentiality of its customers’ personal information from unauthorised interference or unauthorised access”.
The SGX filing shows that the ACMA “alleges 3.6 million breaches” of Australian law; Optus, however, said it is “only aware of approximately 10,200 customers having had their personal information published on the internet as a result of the cyberattack”.
The 10,200 number relates to an initial leak of a sample of stolen data that was made as part of a ransom demand.
Optus said that monitoring for misuse of this leaked data continued, and that it had “taken significant steps … to mitigate potential harm to customers impacted by this attack.”
On the issue of penalties that could arise from the case, Optus sought to downplay some of the back-of-the-envelope calculations – running to billions or even trillions of dollars – that have been speculated across mainstream media since the case was filed.
The telco said the issue of penalty was ultimately one for the Federal Court, though noted that any penalty “is not necessarily a direct calculation based on the number of contraventions” multiplied by the maximum penalty per contravention.