Australia kicks off investigation into Optus data breach

Office of the Australian Information Commissioner's scrutiny will focus on whether the Singtel-owned mobile operator, as well as its subsidiaries, took "reasonable steps" to safeguard data they held from unauthorised access and misuse.
Written by Eileen Yu, Senior Contributing Editor

Australia has kicked off its investigation into the Optus data breach, during which the data practices of the mobile operator as well as its sister companies, Optus Mobile and Optus Internet, will be scrutinised to determine if they were in compliance with local regulations. 

The investigation would focus on whether the Optus companies took "reasonable steps" to safeguard the personal data they held from misuse, interference, loss, unauthorised access, modification, or disclosure, said the Office of the Australian Information Commissioner (OAIC) in a statement Tuesday. It also would determine if the Singtel-owned entities had collected and retained only information necessary to facilitate their business.

In addition, the investigation would assess whether the companies took reasonable steps to implement practices and systems to ensure compliance with the Australian Privacy Principles. Outlined in the country's Privacy Act 1988, these 13 principles govern standards and obligations around, amongst others, the collection and use of personal information as well as an organisation's governance and accountability. 

OAIC said its investigation would be coordinated with that of the Australian Communications and Media Authority (ACMA). 

The September 22 Optus security breach compromised various personal data of the telco's 9.8 million customer base, including 1.2 million customers with at least one number from a current and valid form of identification information. 

Should the investigation determine there was an interference with the privacy of at least one individual, the OAIC could require the Optus companies to take steps to ensure the act or practice was not repeated or continued, as well as to redress any loss or damage. 

The government agency noted that it had the power to seek civil penalties through the federal court, should the investigation uncover serious or repeated breaches of Australia's Privacy Act 1988, of up to AU$2.2 million ($1.42 million) for each contravention.  

Australian Information and Privacy Commissioner Angelene Falk said attention given to the Optus breach underscored the need for local organisations to look at key privacy issues. 

Falk said: "If they have not done so already, I urge all organisations to review their personal information handling practices and data breach response plans to ensure information is held securely and that, in the event of a data breach, they can rapidly notify individuals so those affected can take steps to limit the risk of harm from their personal information being accessed.

"And collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk. Only collect what is reasonably necessary," she added. 

In line with the OAIC's Privacy Regulatory Action Policy, the OAIC will await the conclusion of the investigation before commenting further.


Editorial standards