On September 22, 2022, Optus, an Australia telecommunications provider, was hacked with the sensitive data of 9.8 million customers extracted. The company initially claimed that sophisticated hacking was to blame for the breach. Later, it was reported that the threat actor got unauthorized access to the company’s network by exploiting a publicly available API endpoint.  Follow the story here to find out what fallout there was from the Optus data breach for the company and it’s customers.

• Optus customers, not the company, are the real victims of massive data breach
• Experts have two theories on how Optus’ data was breached
• The Optus customer data breach could lead to a class action lawsuit. What might that look like?
• Companies face data cull as Optus liable for multimillion-dollar fines
• Optus class actions: This is who’s eligible to join
• ‘The new asbestos’: Does the Optus hack spell the end for paper ID checks?
• Privacy, telco regulators launch Optus breach investigations
• 10 per cent of Optus customers leave after cyberattack

Optus customers, not the company, are the real victims of massive data breach

Read more: The Guardian, 28 September, 2022

Experts have two theories on how Optus’ data was breached

Key Point

• The details of almost 10 million Australians were compromised in the Optus data breach, including financial identification and personal information.
• While there has been no concrete explanation to how the Optus data breach occurred, somehow the hacker managed to access the data without encryption.
• Experts warn that without scrupulous management of the methods used to encrypt and protect data, even encrypted information is at risk of breaches.

As Optus weathers the fallout from the damaging data breach that exposed the personal details of 9.8 million customers, questions have been raised about how protected the data was to begin with.

Read more: The Sydney Morning Herald, 28 September, 2022 (paywall)

The Optus customer data breach could lead to a class action lawsiut. What might that look like?

In Melbourne, law firm Slater and Gordon said on Tuesday it was investigating whether a deficiency in Optus’s management of data had led to the personal information of nearly 10 million current and former customers being leaked.  …

Michael Duffy, an associate professor and director of a corporate law and litigation group at Monash University, said class actions are a way for groups of people to seek remedies to a problem that affects them all.  …

In Optus’s case, it could involve thousands of people.

“Class actions are opt out, so you are nominally covered by a class action if you fall within the group definition,” Dr Duffy said.

Read more: ABC News, 28 September, 2022

Companies face data cull as Optus liable for multimillion-dollar fines

Companies are set to be forced to cut back the vast amounts of sensitive data they retain about their customers under changes to privacy laws being considered by the Albanese government in response to the Optus cyberattack.

Optus is facing major fines and damages payouts under current rules, even as the government prepares to significantly increase financial penalties for companies that fail to secure customer details from hackers.

Read more: The Sydney Morning Herald, 30 September, 2022 (Pay wall)

Optus class actions: This is who’s eligible to join

Two law firms are considering class actions against Optus over the data breach which exposed the personal details of millions of Aussies.

Maurice Blackburn and Slater and Gordon have both announced they are investigating possible class actions against Optus to seek compensation for customers impacted by the breach.

Read more: Yahoo! Finance, 5 October, 2022

‘The new asbestos’: Does the Optus hack spell the end of paper ID checks?

We have to hand over documents that identify us all the time, whether we’re scanning our ID to get into a club, attaching our birth certificates to an application to rent a house, or linking our passports with an airline account to get rewards points. But as the recent Optus data breach shows, mishandling of this information can cause chaos.

So, where do we go from here?

It can be hard to tell what happens to your data once you hand it over, even if you take the time to read privacy policies. Australia Post’s policy, for example, just says it collects and stores the data. My real estate agency’s policy says it will take reasonable steps to de-identify and destroy the data when it doesn’t need it anymore. But it’s not like I have any idea if or when that’s done.

Read more: The Sydney Morning Herald, 7 October, 2022 (Paywall).

Privacy, telco regulators launch Optus breach investigations

Australia’s privacy and communications regulators have launched coordinated investigations into the Optus data breach that saw the personal data of 9.8 million Australians compromised last month.

The inquiries will consider Optus’s obligations as a telco and its adherence to privacy law, including its potential failure to protect the data and “whether the information collected and retained was necessary to carry out their business”.

Serious contraventions could see Optus forced into undertakings and facing civil penalties.

Read more: Innovation Aus, 11 October, 2022

10 per cent of Optus customers leave after cyberattack

After the details of 9.8 million customers were stolen in a hack, the real cost of the massive breach for Australia’s largest second largest telco is starting to emerge.

The country’s second-largest telecommunications provider is facing 56 per cent of current customers “considering changing telcos as a direct result of the Optus cyber-attack”, while 10 per cent had already done so, according to the annual EFTM Mobile Phone Survey.

Read more: News.com.au, 31 October, 2022