Optus breach: New investigations launched, millions in fines on the table
Two separate but coordinated investigations launched that could result in millions of dollars in fines for Optus.
Australian telecoms giant Optus is facing two additional investigations in relation to the major data breach that occurred last month. Depending on the results of the investigation, the company could be forced to pay more than $4 million in damages.
As reported by The Guardian, the Australian Communications and Media Authority (ACMA) and the Office of the Australian Information Commissioner (OAIC) said they’d be launching “separate but coordinated” investigations.
ACMA will look into whether or not Optus complied with the rules and regulations of sensitive data management, while OAIC wants to investigate the steps Optus took to protect customer data. Each investigation, the publication added, could result in a fine of up to $2.2 million, but it could take “some time” before any conclusion is reached.
Cooperating with the regulators
Optus said it is committed to working with the regulators on this issue, while ACMA chair Nerida O’Loughlin stressed the importance of trust: “When customers entrust their personal information to their telecommunications provider, they rightly expect that information will be properly safeguarded. Failure to do this has significant consequences for all involved,” she said.
Besides the two new investigations, Deloitte is also running an external review, while the Australian federal police is looking into who stole, and is trying to sell, the sensitive data.
Three weeks ago, Optus confirmed that data from both current and former customers had been accessed. The threat actors managed to obtain customer identity data, including names, dates of birth, phone numbers, as well as email addresses, of millions of people. Some customers have also had physical addresses, ID document numbers such as driver's licenses or passport numbers exposed, as well.
Optus did not state who was behind the attack, what the motives of the threat actor were, nor how the systems ended up being compromised (for example, with phishing, or malware). It did say that it managed to immediately shut the attack down.
It also declined to say how many customers might have been affected by the breach, but given its user base, the number could be as high as about 10 million individuals.
- Here's our rundown of the best ID theft protection services for families right now