Optus, one of Australia’s largest telecommunications companies, has lost a legal battle in the Federal Court. The Australian Federal Court has ordered the company to release an external review performed by Deloitte to investigate the cause of a significant 2022 cyberattack that led to the release of sensitive customer data.
The Optus 2022 data breach resulted in the exposure of the names, dates of birth, phone numbers, and email addresses of over 10 million customers with addresses, driver’s licence or passport numbers being exposed for a portion of the affected customers.
Optus Appeal Against Sharing External Deloitte Report
The data breach incident along with 14-hour outage of its telecommunication services, frustrations over the availability of information/credit monitoring services and attempts of attackers to exploit the compromised data for use in SMS phishing attacks, led to intense scrutiny towards the company.
The company commissioned an independent external forensic review of the cyberattack from Deloitte over its security systems, controls and processes under the advise of the then CEO Kelly Bayer Rosmarin and the approval of its board. Bayer made the following statement over the decision:
“This review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.
Kelly, later resigned over the incident with Optus now being led by a new CEO, who is working to rebuild trust with customers in a ‘challenging’ market.
Despite the efforts of the company to deal with the data breach, the recent court decision comes after Optus appealed an earlier ruling that it must hand over the report to Slater & Gordon, the law firm pursuing a class action against the company for allegedly failing to protect its customers’ personal information.
Optus has not yet made a public statement regarding the Federal Court’s decision. However, the company had previously argued that the Deloitte report was commissioned to provide legal advice and therefore it was privileged. The court, however, decided that Optus had failed to prove that the dominant purpose of the report was for legal advice.
Class Action Law Suit Against Optus and Implications of Court Ruling
Slater & Gordon, the law firm representing the affected Optus customers, has welcomed the court’s decision. The law firm’s class actions practice group leader, Ben Hardwick, criticized Optus’s efforts to keep the report confidential, stating that it indicates the company’s refusal to accept responsibility for its role in the data breach and its impact on millions of its customers.
In it’s April 2023 press release, the law firm’s leader had stated that more than 100,000 of Optus’s current and former customers had registered for the class action, with some notable examples among the group group such as:
-
a domestic violence victim who spent money that was intended for counselling for her children on increasing security measures around the house, including installing video cameras and extra locks on doors and windows
-
a former Optus customer who had previously been burgled and had his identity stolen who now suffers severe anxiety after learning his personal information had been shared online
-
a stalking victim who takes extreme measure to maintain her privacy, especially her address, who fears her life has genuinely been put in danger by the data breach
-
a woman who is now too fearful to answer the telephone after noticing an increase in scam phone calls following the Optus cyberattack, and
-
a retired police officer concerned that his home address may have been shared with criminals he was involved in the prosecution and incarceration of.
The press release also cited the frustration several customers expressed over alleged delays by Optus in providing details over the data breach, and reported inconsistencies in how the telecommunications giant had been treating affected customers
Some Optus registrants claimed to the law firm that they were dismissed when they sought further information from Optus, while others informed that the company refused to pay for credit monitoring services under the basis that they were no longer Optus customers.
“There appears to have been a piecemeal response from Optus, rather than a coordinated approach that made sure everyone whose data was compromised is treated the same.”
The Federal Court’s decision sets a significant precedent for companies involved in data breaches. It underscores the importance of transparency and accountability in such situations, and it may encourage other companies to take stronger measures to protect their customers’ personal information.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.