Login
OAIC launches investigation into Optus
Following the Optus customer data breach, which left potentially millions of customers’ information in the hands of cyber criminals, the Office of the Australian Information Commissioner (OAIC) has today (11 October) commenced an investigation against the telco.
Lauren Croft
Customers of Australia’s second-largest telco may have had their names, dates of birth, phone numbers and email addresses stolen in the data breach — which was announced on 22 September — as well as license and passport numbers in some cases.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
The data breach, which has been called one of the most serious in Australian history, has already sparked two separate class actions — from Slater & Gordon and Maurice Blackburn, which launched investigations on Monday, 26 September, and Wednesday, 28 September, respectively.
On Tuesday, the OAIC launched its own investigation into the personal information handling practices of Singtel Optus, Optus Mobile, and Optus Internet (the Optus companies) in relation to the breach.
The OAIC’s investigation will determine whether Optus took “reasonable steps” to protect customers’ personal information from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business.
The investigation will also consider whether the telco implemented certain practices, procedures and systems to ensure compliance with the Australia Privacy Principles (APPs), including those that would enable Optus to deal with related inquiries or complaints.
The OAIC’s investigation will also be co-ordinated with a separate investigation by the Australian Communications and Media Authority (ACMA), also announced on Tuesday.
Australian information and privacy commissioner Angelene Falk said the co-ordination of investigations by the OAIC and ACMA was a positive example of regulatory co-operation that would lead to efficient regulatory outcomes.
Additionally, if the OAIC’s investigation results in the commissioner being satisfied that an interference with the privacy of one or more individuals has occurred or serious interferences in contravention of Australian privacy law, then Optus could face penalties of up to $2.2 million per breach in the Federal Court.
While not commenting on the specific investigation, commissioner Falk said the widespread attention given to the Optus data breach had highlighted key privacy issues that corporate Australia should take heed of.
“If they have not done so already, I urge all organisations to review their personal information-handling practices and data breach response plans to ensure that information is held securely and that in the event of a data breach, they can rapidly notify individuals so those affected can take steps to limit the risk of harm from their personal information being accessed,” she said.
“And collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk. Only collect what is reasonably necessary.”
