Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

Optus fails to keep report into cyber attack out of class action

The Federal Court has dismissed Optus’ appeal to hold back a Deloitte report into its 2022 cyber attack from class action lawyers.

user iconNaomi Neilson 28 May 2024 Big Law
expand image

The Australian Federal Court has ruled that Optus will not be able to keep a report it commissioned from professional services firm Deloitte regarding its 2022 cyber attack out of the hands of lawyers representing a class action against the telco.

Optus had claimed that the report and its contents were protected under legal professional privilege and that it was primarily commissioned to provide legal advice. However, Federal Court judge Justice Jonathan Beach ruled against this claim in November, saying there were “problematic aspects” to the company’s claim.

Justice Beach determined that since the report had been mentioned in an Optus press release, and then Optus CEO had said the report would “help inform the response to the incident”, its “dominant purpose was not a legally privileged purpose”.


“This is hardly the stuff of a report being prepared or used predominantly for legal advice or a litigation purpose,” said at the time.

The report must now be shared with law firm Slater & Gordon, which is pursuing the class action on behalf of Optus customers impacted by the data breach. It is expected that while the report is not being released to the public, portions of it will likely become public as the class action proceeds.

Ben Hardwick, class actions practice group leader at Slater & Gordon, is pleased by the Federal Court’s decision.

“Despite refusing to accept the umpire’s decision, Optus must now hand over the Deloitte report into how millions of its customers’ private information was accessed as a consequence of the 2022 data breach,” Hardwick told the AFR.

“Optus’s efforts to shield this report is indicative of a company that refuses to accept responsibility for its role in what happened, and the significant impact this data breach has had on millions of its Australian customers.”

A spokesperson for Optus told Cyber Daily that it will “respect the Court’s decision” and that the company is “considering our position”.

“Our priority is ensuring our customers have ongoing confidence in the integrity of our cyber defence systems,” the spokesperson said.

“In this regard, Optus will consider our next steps which may include seeking confidentiality orders relating to elements of the report that we believe are key to the ongoing protection of our customer data and our systems from cyber criminals.”