Two Australian regulatory bodies Tuesday announced formal investigations into the “cyberattack” security breach of the private information of 9.8 million Singtel Optus Pty Limited, Optus Mobile Pty Ltd and Optus Internet Pty Ltd (Optus) customers.
The Office of the Australian Information Commissioner (OAIC) released a statement that it has commenced an investigation into whether Optus took “reasonable steps to protect the personal information” of customers and a possible breach of Australian Privacy Principle 1 under the Privacy Act of 1988. If a violation is found, Optus could face penalties of $1.4 Million USD.
The Australian Communications and Media Authority (ACMA) will investigate Optus’ compliance with obligations as a “telecommunications service provider.” ACMA will work with OAIC and the Department of Home Affairs to facilitate the effective communication of information “across the respective jurisdictional investigations.”
ACMA Chair Nerida O’Loughlin commented:
When customers entrust their personal information to their telecommunications provider, they rightly expect that information will be properly safeguarded. Failure to do this has significant consequences for all involved. All telcos have obligations regarding how they acquire, retain, protect and dispose of the personal information of their customers. A key focus for the ACMA will be Optus’ compliance with these obligations.
The results of both investigations will be published to the public when finalised. Optus publicly announced the breach on September 22. Stolen information includes driver’s license numbers, Medicare card numbers, passport number and other identification documents. The Albanese Government suggested amendments to Telecommunications Regulations 2021 in response to the breach.