Optus, units receive notice of Australia’s probe into cyberattack

OPTUS and some of its wholly-owned subsidiaries have received notices of intention to commence formal investigations by the Office of the Australian Information Commissioner (OAIC) and Australian Communications and Media Authority (ACMA).

In a midday bourse filing on Tuesday (Oct 11), the Australian unit of Singtel : Z74 0% said it remains committed to working with governments and regulators as it responds to the impact of the cyberattack.

Optus intends to “fully engage with the OAIC and ACMA as they undertake investigations”, it added.

Shares of Singtel were up S$0.02 or 0.8 per cent at S$2.51 as at the midday break before the group filed its announcement with the Singapore bourse – hours after both regulators separately announced their own investigations into the September 2022 breach.

In its press statement on the same day, OAIC said it was investigating whether the Optus companies took reasonable steps to protect customer data and comply with privacy laws. It also indicated the possibility of forcing Optus to take steps to ensure the breach cannot be repeated in the event of discovering that “interference with the privacy of one or more individuals has occurred”. 

On the other hand, ACMA said it was investigating whether Optus met its industry obligations as a telecommunications provider in terms of the keeping and disposing of personal data. The authority added that it was working in conjunction with OAIC and the Department of Home Affairs to “ensure effective information-sharing across the respective jurisdictional investigations”.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

“All telcos have obligations regarding how they acquire, retain, protect and dispose of the personal information of their customers. A key focus for the ACMA will be Optus’ compliance with these obligations,” said ACMA chair Nerida O’Loughlin.

The government investigations follow Optus’ Oct 3 confirmation that the cyberattack – which took place in late September this year – resulted in a leak of the personal identification data of some 2.1 million of its 9.8 million customers.

Australian law firm Maurice Blackburn on Oct 7 lodged a complaint with the Office of the Australian Information Commissioner, alleging that Optus failed to protect the personal information of customers and destroy data it no longer needed.

On the morning of Oct 10, Singtel announced a cybersecurity incident at Dialog – an Australia-based IT services consulting company acquired in April 2022 by a subsidiary of Singtel-owned NCS.

The telecommunications giant highlighted Dialog’s systems as completely independent of NCS, Optus and Singtel. It also said there was no evidence of any link between the incident and the recent Optus security breach.