Two Australian regulators open investigations into Optus after data breach


SYDNEY, (Reuters) – Two Australian regulators said on Tuesday they have opened investigations into Optus, the country’s No. 2 telecoms provider, after a breach of its systems resulted in the theft of personal data from up to 10 million accounts.

The probes only add to headaches for Optus, which disclosed the breach on Sept. 22 and has since come under heavy fire from the government and the public for not preventing the massive cyberattack. The Office of the Australian Information Commissioner (OAIC) said it was investigating whether the Singapore Telecommunications Ltd-owned (STEL.SI) company took reasonable steps to protect customer data and comply with privacy laws.

The Australian Communications and Media Authority (ACMA) said it was investigating whether Optus met its industry obligations as a telecommunications provider in terms of the keeping and disposing of personal data. Amid the widening fallout, the federal government has flagged it will overhaul data security laws to force firms which have had a cyberattack to notify banks about customers who may be compromised. Several law firms are also considering filing class action lawsuits.

The OAIC said in a statement if it finds that “interference with the privacy of one or more individuals has occurred”, it may force Optus to take steps to ensure the breach cannot be repeated. The agency added that it finds there was a breach of Australian privacy law, it can seek civil penalties of up to A$2.2 million ($1.4 million) per contravention.

ACMA Chair Nerida O’Loughlin said in a statement that failure by telecommunications providers to safeguard customer information “has significant consequences for all involved”.

Australian Competition and Consumer Commission Chair Gina Cass-Gottlieb told a parliamentary hearing the regulator was receiving 600 calls a day from people concerned about the Optus breach, although few had been scammed as a result.