More than 100,000 Optus customers whose personal information was compromised in last year’s cyber-attack have launched legal proceedings against the Singaporean-owned telco.
The class action was filed in the Federal Court by Slater and Gordon on Friday, with the law firm alleging that Optus breached privacy, telecommunications and consumer laws when the data was exposed.
The data breach – considered one of the most serious privacy breaches in Australia’s history – impacted as many as 9.8 million current and former customers in September last year. It has since been eclipsed by the Latitude data breach, which impacted 14 million customers.
While the majority of Optus customers had basic information, such as names and phone numbers, disclosed, at least 2.1 million had identity documents, like driver’s licences, passports and Medicare cards, exposed.
More than 10,000 customers also had their personal information published on a widely known internet forum about data breaches when the alleged Optus attacker made ransom demands. The extortion attempt was later abandoned by the individual.
In the statement of claim filed on Friday, Slater and Gordon alleges Optus failed to protect the information of customers from unauthorised access, failed to destroy or de-identify the information of former customers, and did not ensure it could only be accessed by those with a legitimate reason.
The law firm has also accused Optus of breaching contractual obligations to customers, as well as its duty of care. It claims that “such harm was reasonably foreseeable if customer data was compromised”.
“Very real risks were created by the disclosure of this private information that Optus customers had every right to believe was securely protected by their telecommunications and internet provider,” Slater and Gordon class actions practice group leader Ben Hardwick said.
“The type of information made accessible put affected customers at a higher risk of being scammed and having their identities stolen, and Optus should have had adequate measures in place to prevent that.”
The class action is seeking compensation for the “time and money spent replacing identity documents” and any other measures taken to prevent fraud, as well as “non-economic losses” related to distress and frustration.
The lead applicant, who does not wish to be named for fear of being targeted by cyber criminals, said the data breach had left him feeling “vulnerable, exposed and worried”. The Victorian man said that “not knowing what might happen with his data “haunts” him.
“I had to make a lot of calls and do a lot of running around in the aftermath of this breach to make sure my bank account and other accounts hadn’t been compromised, and I noticed I was being targeted by phishing and other scams a lot more frequently,” he said.
If successful, the class action could be the largest for a breach of privacy to date. In 2019, a data breach involving 130 NSW Ambulance staff resulted in a $275,000 settlement, or around $2400 for each participant and $10,000 for the lead plaintiff.
Newcastle University academics Mirealla Atheron and Eliezer Sanchez-Lasaballett last year opined that a class action involving millions of customers could be worth billions, surpassing the records of $494 million paid to 10,000 victims of Victoria’s 2009 Black Saturday bushfires.
Do you know more? Contact James Riley via Email.