Australia: Information Commissioner filed civil penalty proceedings against Optus over alleged failure to protect personal information in data breach

On 8 August 2025, the Australian Information Commissioner (AIC) filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus) following an investigation into the data breach disclosed on 22 September 2022. The breach involved unauthorised access to the personal information of about 9.5 million current, former, and prospective customers, with some of this information later released on the dark web. The AIC alleges that between 17 October 2019 and 20 September 2022, Optus seriously interfered with privacy by failing to take reasonable steps, in breach of the Privacy Act 1988, to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. According to the AIC, Optus did not adequately manage cybersecurity and information security risks in proportion to the nature and volume of personal information held, the size of the organisation, and its risk profile. The personal information affected included names, dates of birth, home addresses, phone numbers, email addresses, and government-related identifiers such as passport numbers, driver’s licence numbers, Medicare card numbers, birth and marriage certificate details, as well as armed forces, defence force, and police identification information. The proceedings allege one contravention for each affected individual under section 13G of the Privacy Act, with each contravention carrying a maximum civil penalty of AUD 2.22 million. The higher penalties of up to AUD 50 million introduced in December 2022 do not apply, as the alleged conduct occurred before these amendments.