In late September 2022, Slaters (ASX: SGH) announced it was investigating a class action against Optus for what it called, at the time, “potentially the most serious privacy breach in Australian history”, in which the personal information of up to 10 million customers — including customer names, dates of birth, phone numbers, email addresses, Medicare cars, driver’s licences, and passport numbers were accessed by, and/or disclosed to, an unknown number of unauthorised persons — had been compromised in a cyber attack.

Now, the firm has filed a statement of claim in the Federal Court accusing the telco giant of breaching privacy, telecommunication and consumer laws.

Moreover, Slaters is accusing Optus is failing to protect or take reasonable steps to protect customers’ personal information from unauthorised access or disclosure, failing to destroy or de-identify former customers’ personal information, and failing to ensure that only those who had a legitimate reason for having access to customers’ personal information could access it.

The firm is also alleging that Optus breached its contractual obligations to customers along with its duty of care to ensure customers did not suffer harm arising from the unauthorised access or disclosure of their personal information.

Such harm was “reasonably foreseeable if customer data was compromised”, the firm submitted.

Group members will be seeking compensation for losses the data breach caused, including time and money spent replacing identity documents in addition to other measures to protect their privacy and prevent the increased likelihood of them falling victim to scams and identity theft, as well as damages for non-economic losses “such as distress, frustration and disappointment”.

The proceedings follow the investigation launched by fellow plaintiff firm Maurice Blackburn (also in September of last year), as well as an investigation by the Office of the Australian Information Commissioner, announced in October.

VIEW ALL

The news also follows the market announcement earlier this week from Slaters, as reported by Lawyers Weekly, that it would suspend trading on the ASX as early as next week and that private equity firm Allegro Funds is set to acquire the balance of Slaters shares that it does not already own — having recently surpassed 90 per cent ownership in the plaintiff firm and appointed two new board directors.

A ‘piecemeal’ response from Optus

Speaking about the proceedings, Slaters class actions practice group leader Ben Hardwick said that what occurred was “an extremely serious privacy breach both in terms of the number of people affected and the nature of the information that was compromised”.

“Very real risks were created by the disclosure of this private information that Optus customers had every right to believe was securely protected by their telecommunications and internet provider,” he proclaimed.

“The type of information made accessible puts affected customers at a higher risk of being scammed and having their identities stolen, and Optus should have had adequate measures in place to prevent that.

“Concerningly, the data breach has also potentially jeopardised the safety of a large number of particularly vulnerable groups of Optus customers, such as victims of domestic violence, stalking and other crimes, as well as those working in frontline occupations, including the defence force and policing.”

Many of the affected customers, Mr Hardwick went on, expressed frustration about Optus’s delays in providing detailed information about the privacy breach and inconsistencies with how the telco was treating one affected customer to the next.

“Some registrants have told us they were fobbed off when they sought information from Optus about exactly what data had been exposed, and others have informed us that Optus refused to pay for credit monitoring services on the basis they were no longer Optus customers,” he explained.

“There appears to have been a piecemeal response from Optus, rather than a coordinated approach that made sure everyone whose data was compromised is treated the same.

“Any suggestion that affected customers have not suffered as a result of this data breach is like rubbing salt into the wounds of those who have lived it and are continuing to deal with the fallout.”