An Australian regulator has sued Optus, alleging the Singapore Telecommunications-owned carrier breached privacy laws during a 2022 cyber attack that compromised the personal data of millions of customers, both parties confirmed on Friday.
Optus, one of Singtel’s largest overseas investments, said in a statement that the Australian Information Commissioner (AIC) has accused the telecom operator of violating the Privacy Act 1988.
The Privacy Act governs how personal information is handled by government agencies and private entities.
The proceedings have been filed against Singtel Optus Pty Ltd. and Optus Systems Pty Ltd., Australia’s Optus said.
The AIC is alleging one breach of the law for each of the 9.5 million customers affected by the data breach, with the court potentially able to impose fines of up to A$2.2 million per breach. However, the privacy watchdog did not provide details on the total amount it is seeking.
Optus said it is reviewing the claims but has not assessed the potential financial impact.
The September 2022 breach, one of the worst in Australia’s history, exposed sensitive customer data including home addresses, passport details and phone numbers.
About 10 million Australians, or 40% of the population, were affected, with many unable to access mobile, broadband and landline services for much of the day.
The incident prompted Prime Minister Anthony Albanese to call for tougher privacy laws, including faster breach notifications to banks.
Optus has faced mounting public criticism, compounded by a 12-hour nationwide network outage in 2023. The twin crises led to the resignation of then-CEO Kelly Bayer Rosmarin in November 2023.
The company was also taken to court by the domestic media regulator in May 2024 over the cyber attack.
(Reporting by Rishav Chatterjee in Bengaluru; editing by Sherry Jacob-Phillips)
Related: