The Office of the Australian Information Commissioner (OAIC) has initiated civil penalty proceedings against Singtel Optus Pty Limited and Optus Systems Pty Limited in the Federal Court.
The action stems from a September 2022 cyber incident that exposed the personal information of about 9.5 million current, former, and prospective customers.
The OAIC alleges that from October 2019 to September 2022, Optus did not take adequate measures to safeguard personal data from misuse, interference, loss, or unauthorised access.
It further claims that the company’s handling of cybersecurity risks was not proportionate to the type and scale of the data it stored or the potential impact of a breach.
Australian Information Commissioner Elizabeth Tydd said the proceedings reflect the regulator’s role in enforcing privacy obligations.
“Organisations hold personal information within legal requirements and based upon trust. The Australian community should have confidence that organisations will act accordingly, and if they don’t, the OAIC as regulator will act to secure those rights,” she said.
Privacy Commissioner Carly Kind said the incident highlights the vulnerabilities in systems where public-facing domains link to internal databases and the associated risks of using external service providers.
“All organisations holding personal information need to ensure they have strong data governance and security practices. These need to be both thorough and embedded to guard against vulnerabilities that threat actors will be ready to exploit,” she said. “Effective stewardship of individuals’ personal information is critical, and businesses need to be extremely vigilant to the significant threats and risks in today’s cyber landscape.”
The breach, first disclosed in September 2022, allowed an unauthorised party to access personal identifiers, including names, birth dates, addresses, phone numbers, and email addresses.
Certain records also contained passport details, driver’s licence numbers, Medicare card data, and other government-issued identification.
Some of this data was later published on the dark web.
The OAIC’s investigation focused on whether Optus’ privacy safeguards were reasonable given its resources, the sensitivity and volume of data, and the potential harm to individuals if compromised.
The OAIC alleges that these safeguards fell short of Privacy Act 1988 requirements.
Under section 13G of the Act, the court may order civil penalties of up to $2.22 million per serious or repeated interference with privacy for the period in question.
The higher penalty cap of $50 million introduced in December 2022 does not apply because the alleged conduct predates the change.
The case comes as data breach activity remains high globally. Research from Rubrik Zero Labs found that 90% of technology and security executives surveyed in 10 countries reported at least one successful cyberattack in 2024. Nearly one in five said they experienced more than 25 attacks that year.
Australia recorded about 398,500 compromised online accounts in the first quarter of 2025 (Q1 2025), according to Surfshark, ranking 16th among affected countries despite a sharp drop from late 2024 levels.
In the Asia-Pacific, Aon’s 2025 Cyber Risk Report found a 29% rise in reported incidents over the past year, with social engineering attacks – some involving deepfake technology – up 53%. Insurance claims linked to such attacks increased 233%.
Beazley’s 2025 Risk & Resilience report noted that 29% of global business leaders now list cyber risk as their primary concern, compared with 26% a year earlier.
