Australian Information Commissioner flexes regulatory muscles on Optus for 2022 Data Breach

22/08/2025

Optus

In 2022, Optus suffered one of the most notorious data breaches since the Notifiable Data Breaches Scheme began in 2018. The data breach affected approximately 9.5 million Australians, being current and former Optus customers who all had varying amounts of their personal information stolen by hackers. The information stolen included names, dates of birth, phone numbers and email addresses and even some government-related identifiers such as passport numbers, drivers licence numbers and Medicare numbers, sparking serious identity theft concerns. 

The Australian Information Commissioner (AIC) has now (some 3 years later) commenced civil penalty proceedings in the Federal Court against Optus. AIC are alleging that Optus: 

  • seriously interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, in breach of the Privacy Act 1988; and 
  • failed to adequately manage cybersecurity and information security risks in such a way that was proportionate to the nature and volume of personal information that Optus held, the size of Optus, and the risk profile of Optus. 

The above allegations relate to conduct that occurred prior to the civil penalty provision increase came into effect in December 2022, as introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. Accordingly, the maximum penalty the Federal Court can impose on Optus under section 13G of the Privacy Act is $2.2 million for each contravention.  

The AIC is alleging one contravention for each of the 9.5 million Australians affected by the breach. This means Optus is staring down the barrel of a whopping possible $20.9 trillion-dollar total penalty. 

Although the penalty that gets imposed is unlikely to be anywhere near this amount, it will be interesting to see just how badly Optus are disciplined for their privacy shortcomings and whether this action represents a readiness of the AIC to flex its regulatory muscles in the future. 

Contact Us

Related Articles

Parental Leave for Casual Employees

For casual employees the unpredictability of their employment can be a major source of stress as often casual employees miss out on many of the entitlements that full-time and part-time employees enjoy. For many, this concern is further exacerbated when they learn that they are about to become a parent. It should therefore be of …
Read more

Purchasing an Off-the-Plan Property

The interest in “off-the-plan” properties is ever increasing and is becoming more popular for buyers. An off-the-plan purchase is one where the Buyer enters into a contract to purchase a property that has not yet been constructed. Due to the prolonged settlement period for an off-the-plan purchase it is imperative for buyers and sellers to …
Read more