Optus faces class action over data breach that likely exposed small businesses

Telecommunications giant Optus is facing one of the largest class action claims in Australian history, with legal firm Slater and Gordon arguing a data breach that exposed the data of almost 10 million customers breached privacy laws, made users vulnerable to fraud attempts, and caused significant emotional distress.

Slater and Gordon filed its group proceeding with the Federal Court on Friday, relating to the fallout of last September’s data breach, which saw hackers access the personal identity documents, passport details and Medicare numbers entrusted to the telco.

Some 9.8 million customers were affected by the breach, and 10,000 of those Optus customers later had their personal data exposed on the dark web.

In a statement, Slater and Gordon alleged Optus breached privacy, telecommunication and consumer laws, arguing the company failed to protect sensitive data, did not adequately limit internal access to those details, and did not destroy customer data when it was no longer needed.

Optus also failed to uphold its contractual obligations to protect users from harm, the law firm alleges.

Slater and Gordon is seeking redress for the cost associated with replacing the personal IDs exposed in the breach, and what it calls the emotional toll of having those details uncovered.

The suit’s lead applicant, who wishes to remain unnamed, claims to have be the target of more phishing attacks after the breach.

“It feels like only a matter of time before I get scammed or defrauded, which is a constant worry that I didn’t have before I was let down by Optus,” they said.

Other applicants include a domestic violence survivor and burglary victim who allege the breach caused emotional distress, and a former police officer who claims to fear reprisal from those whose prosecution and incarceration he was involved with.

Ben Hardwick, class actions practice group leader at Slater and Gordon, said the emotional toll of the data breach should be considered in line with the financial cost of replacing leaked ID.

“Any suggestion that affected customers have not suffered as a result of this data breach is like rubbing salt into the wounds of those who have lived it and are continuing to deal with the fallout,” Hardwick said.

Slater and Gordon says any Optus customer whose information was uncovered in the breach is eligible to express their interest in the class action.

The telco intends to challenge the Federal Court action.

“As indicated previously, Optus will vigorously defend any such proceedings,” a spokesperson told SmartCompany.

The class action will only add to the pressure applied to Optus by the the Office of the Information Commissioner (OAIC) and Australian Communications and Media Authority, which are investigating the breach, and have the power to recommend compensation to its victims.

“If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of one or more individuals has occurred the Commissioner may make a determination that can include requiring the Optus companies to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage,” the organisation said last year.

Optus responds after small business details likely exposed

While Optus’ enterprise customers did not have their data exposed, small business owners who shared phone numbers between their personal and professional dealings are likely to have been swept up in the data breach.

Responding to the breach, Small Business Minister Julie Collins in September said the Albanese government “expects Optus to do everything to support affected customers, including small businesses”.

Optus’ response to the breach included the launch of a joint working group with the federal government to stem the worst outcomes, and the commissioning of Deloitte to conduct an independent review.

The telco also offered 12 months of free Equifax credit monitoring to affected users.

In March, Optus launched a ‘Cyber Panel’ comprised of American and Australian cyber security experts, which it claims will share important lessons for industry participants and “raise the bar in Australian cyber security”.