Telecom May Face Up to $2.22 Million Per Violation in Fines
The Australian privacy watchdog sued Optus, saying the country’s second largest telecom failed for years to protect sensitive customer data breached during a September 2022 incident affecting nearly 10 million people.
See Also: Post-Quantum Cryptography – A Fundamental Pillar in the Future of Cybersecurity [ES]
The Office of the Australian Information Commissioner alleges the telecom – a fully owned subsidiary of Singapore-based Singtel – failed to take reasonable steps to protect personal information in the three year period leading up to the breach.
“Businesses need to be extremely vigilant to the significant threats and risks in today’s cyber landscape,” said Australian Information Commissioner Elizabeth Tydd. The office initiated an investigation into the incident in October 2022.
The breach, one of the worst in Australia to date, resulted in the theft of data including email addresses, dates of birth and phone numbers. According to the Optus tally, the breach included the active government IDs of 1.2 million customers and 17,000 valid Medicare ID numbers.
The regulator said Optus faces a potential fine of up to $21.9 trillion Australian dollars, should the court levy the maximum penalty of AU$2.22 million for each of the 9.5 million individuals whose privacy regulators say Optus violated. That total figure would amount to nearly eight times Australia’s gross domestic product.
A hacker going by “optusdata” claimed responsibility for the hack and demanded $1 million from Optus not to sell the data on a criminal forum. The hacker released data on 10,000 customers, data quickly seized on by cybercriminals to extort Australians into paying ransom. Optusdata ultimately decided not to go through with the threat to release the data, asserting a change of heart. “Too many eyes. We will not sale data to anyone. We can’t if we even want to: personally deleted data from drive (only copy),” the hacker wrote four days after posting the extortion demand.
Optusdata told Information Security Media Group at the time that the hack wasn’t difficult, that he or she had found an open database API not protected by authentication (see: Optus Under $1 Million Extortion Threat in Data Breach).
The Australian Communications and Media Authority is a separate lawsuit against Optus launched in June 2024 alleged a series of mistakes led the API to being unsecured. The regulator said a coding error made in 2018 withdrew access control on the API. Optus came close in August 2021 to fixing the oversight after it detected a similar error, but it overlooked the API, regulators said. The API “was permitted to sit dormant and vulnerable to attack for two years and was not decommissioned despite the lack of any need for it,” they told an Australian federal court in still-active litigation.
An Optus spokesperson responded to the lawsuit by telling Australian media that the telecom again apologized for the incident but that it wouldn’t comment further on active litigation.
The incident was part of an apparent wave of cyberattacks buffeting the country during 2022. Australia’s largest provider of private health insurance, Medibank, underwent an October 2022 attack from a Russia-based cybercriminal group that dumped onto the darkweb what it said was five gigabytes of stolen personal data. The Australian Information Commissioner also sued Medibank in June 2024.
The back-to-back incidents led a top Australian official in December 2022 to vow the country would become “the world’s most cyber-secure country by 2030” (see: Australia Aims to Be World’s ‘Most Cyber-Secure’ Country).