OAIC takes Optus to court over 2022 data breach

By Jason Pollock on Aug 8, 2025 2:28PM
OAIC takes Optus to court over 2022 data breach

The Australian Information Commissioner (AIC) has filed civil penalty proceedings in the Federal Court against Optus following the company's 2022 data breach.

The breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web.

The AIC alleges that from on or around 17 October 2019 to 20 September 2022, Optus "seriously interfered" with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, in breach of the Privacy Act 1988.

The Federal Court can impose a civil penalty of up to $2.22 million for each contravention of section 13G of the Privacy Act. The AIC alleges one contravention for each of the 9.5 million individuals whose privacy it alleges Optus seriously interfered with.

Whether a civil penalty order is made, and the amount, are matters before the court.

The AIC alleges that Optus failed to adequately manage cybersecurity and information security risk in a manner commensurate with the nature and volume of personal information that Optus held, the size of Optus, and the risk profile of Optus.

In October 2022, a joint investigation into the data breach was started by the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority to look into how Optus handled customer information.

Australian Privacy Commissioner Carly Kind said the Optus data breach highlights some of the risks associated with external-facing websites and domains, particularly when these interact with internal databases holding personal information, as well as the risks around using third-party providers.

“All organisations holding personal information need to ensure they have strong data governance and security practices," she said.

"These need to be both thorough and embedded, to guard against vulnerabilities that threat actors will be ready to exploit.

“Effective stewardship of individuals’ personal information is critical, and businesses need to be extremely vigilant to the significant threats and risks in today’s cyber landscape.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
aic australian information commissioner oaic office of the australian information commissioner optus security

Sponsored Whitepapers

Westcon
Westcon
Vertiv
Vertiv
Schnieder Electric
Schnieder Electric
NinjaOne
NinjaOne
ManageEngine
ManageEngine

Events

techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025
techpartner.news Benchmark Security Awards 2025
techpartner.news Benchmark Security Awards 2025

Most read articles

Microsoft unveils FY26 changes to AI Cloud Partner Program

Microsoft unveils FY26 changes to AI Cloud Partner Program
Bluechip Infotech enters final stage of Goodson Imports acquisition

Bluechip Infotech enters final stage of Goodson Imports acquisition
Atturra to buy Melbourne’s Blue Connections

Atturra to buy Melbourne’s Blue Connections
TasPorts taps Brennan for multimillion-dollar digital transformation

TasPorts taps Brennan for multimillion-dollar digital transformation

Log in

Email:
Password:
  |  Forgot your password?