Optus data breach
Optus is Australia's second-largest mobile carrier, providing about 31% of mobile services. In September 2022, a cyber maintenance failure exposed sensitive customer data.
Initially, Optus announced that the cyber security incident led to the theft of personal information from about 150,000 customers, including names, birth dates, phone numbers, and email addresses. In the following days, Optus found the hacker had accessed between 2.5 million and 9.7 million records. For some customers, the leak included addresses and driver licence, Medicare, or passport numbers.
Optus worked with federal and state government agencies, including the Australian Cyber Security Centre, to decrease the risks to customers. Optus also notified the Office of the Australian Information Commissioner and key regulators.
The breach allegedly occurred due to an unsecured application interface that allowed other devices and systems to access it. The damage to Optus was significant, including substantial spending on remediation and potential compensation for victims. Estimates also suggest a $1.5 billion loss in Optus's brand value.
A hacker on a dark web forum claimed to have stolen and then deleted the data, but it is not known if this is true. The stolen identities may still surface, putting Optus customers at ongoing risk of identity theft. The incident also impacted government agencies, such as the Department of Transport and Main Roads, which had to replace over 178,000 Queensland driver licences.
This incident has prompted many organisations to re-evaluate the sensitive data they hold, and their business needs for collecting and storing this data. When legally permitted to do so, organisations should consider discarding unnecessary data.
The lesson is clear: if an organisation doesn’t hold sensitive customer data, it can't lose it.
No organisation is immune from a cyberattack. To be cyber-resilient, companies must have plans to respond quickly when an attack happens. As this case shows, technical incident response is just one part of the puzzle.
Note - Commonwealth law requires businesses to take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose permitted under the Privacy Act. This requirement does not apply if businesses are required or authorised by law to keep it. Please obtain your own legal advice.