22/08/2025

In 2022, Optus suffered one of the most notorious data breaches since the Notifiable Data Breaches Scheme began in 2018. The data breach affected approximately 9.5 million Australians, being current and former Optus customers who all had varying amounts of their personal information stolen by hackers. The information stolen included names, dates of birth, phone numbers and email addresses and even some government-related identifiers such as passport numbers, drivers licence numbers and Medicare numbers, sparking serious identity theft concerns.
The Australian Information Commissioner (AIC) has now (some 3 years later) commenced civil penalty proceedings in the Federal Court against Optus. AIC are alleging that Optus:
- seriously interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, in breach of the Privacy Act 1988; and
- failed to adequately manage cybersecurity and information security risks in such a way that was proportionate to the nature and volume of personal information that Optus held, the size of Optus, and the risk profile of Optus.
The above allegations relate to conduct that occurred prior to the civil penalty provision increase came into effect in December 2022, as introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. Accordingly, the maximum penalty the Federal Court can impose on Optus under section 13G of the Privacy Act is $2.2 million for each contravention.
The AIC is alleging one contravention for each of the 9.5 million Australians affected by the breach. This means Optus is staring down the barrel of a whopping possible $20.9 trillion-dollar total penalty.
Although the penalty that gets imposed is unlikely to be anywhere near this amount, it will be interesting to see just how badly Optus are disciplined for their privacy shortcomings and whether this action represents a readiness of the AIC to flex its regulatory muscles in the future.