AIC Launches Civil Penalty Action Against Optus
The action follows the 2022 Optus data breach, which exposed the personal information of around 9.5 million Australians, some of which was later released on the dark web.
The AIC alleges Optus failed to take reasonable steps to protect personal data between October 2019 and September 2022, in breach of the Privacy Act 1988. According to Commissioner Elizabeth Tydd, the case underscores the OAIC’s commitment to upholding community rights and ensuring organisations meet their legal obligations.
Australian Privacy Commissioner Carly Kind highlighted that the breach demonstrates the risks linked to internet-facing systems, third-party providers, and weak data governance. She urged all organisations to embed strong privacy and cybersecurity practices to protect against today’s escalating threats.
If proven, the Federal Court could impose penalties of up to $2.22 million per contravention. With one alleged contravention for each affected individual, this case represents one of the most significant privacy actions in Australia’s history.