Australia’s Optus hit with class-action suit over data breach

Over 100,000 current and ex-customers of Australian broadband and pay TV operator Optus have hit the company with a class-action lawsuit over a cybersecurity breach that occurred last year and compromised the data of up to 10 million existing and former customers.

The personal information of more than 10,000 customers was subsequently published online when ransom demands were made.

Optus has been one of a significant number of corporations hit by data security attacks in recent times in Australia. Others included telcos Telstra and TPG Telecom.

The attacks prompted the Australian government to announce plans to set up a new agency to coordinate strategy on cybersecurity.

The claim lodged against Optus alleged that company failed to observe its own polices and existing data laws when it failed to protect customer data.

Specifically, the suit accuses Optus of failing to protect or take reasonable steps to protect customers’ personal information from unauthorised access or disclosure; failing to destroy or de-identify former customers’ personal information, and failing to ensure that only those who had a legitimate reason for having access to customers’ personal information could access it.

Optus has also been accused in the class action of breaching contractual obligations to customers along with its duty of care to ensure customers did not suffer harm arising from the unauthorised access or disclosure of their personal information. It is claimed such harm was reasonably foreseeable if customer data was compromised.

“Very real risks were created by the disclosure of this private information that Optus customers had every right to believe was securely protected by their telecommunications and internet provider. The type of information made accessible put affected customers at a higher risk of being scammed and having their identities stolen, and Optus should have had adequate measures in place to prevent that. Concerningly, the data breach has also potentially jeopardised the safety of a large number of particularly vulnerable groups of Optus customers, such as victims of domestic violence, stalking and other crimes, as well as those working in frontline occupations including the defence force and policing,” said Ben Hardwick, class actions practice group leader at law firm Slater and Gordon, which filed the suit.

“These proceedings have been brought on behalf of customers in relation to the cyber-attack on Optus in September last year and are being brought by Australian law firm Slater & Gordon. These proceedings are being funded by a third-party litigation funder. The statement of claim alleges breach of contract, negligence and contraventions of the Australian Consumer Law, Telecommunications (Interception and Access) Act and the Privacy Act,” said Optus.

“The applicants are seeking a range of outcomes including declarations of contraventions, that Optus take reasonable steps to delete identifying personal information of ex-customers, damages and statutory compensation which have not presently been quantified, interest and costs. Optus is continuing its review of the court documents with its lawyers. Optus will vigorously defend the proceedings. In addition to the measures already taken to protect customers from this cybercrime, Optus continues to offer and provide support for any customers who may have been impacted by the attack.”