Australian Watchdog Seeks Multitrillion-Dollar Fine for Massive Telco Data Breach
Australian telco Optus could face fines of more than 21 trillion Australian dollars ($13.7 trillion) for a September 2022 data breach that compromised the privacy of nearly 10 million people, the Australian Information Commissioner (AIC) said Friday.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Meanwhile, France's Bouygues Telecom announced Wednesday that personal data, including contact details, contract information and international bank account numbers (IBANs) of 6.4 million of its customers, was stolen in an Aug. 4 cyberattack.
The alleged Optus violations, which occurred between October 2019 and the breach in September 2022, involved unauthorized access to personal data of current, former and prospective customers and the subsequent release of some information on the dark web, the AIC said. The office alleged that Optus failed to adequately manage cybersecurity and information security risks effectively, given the nature and volume of the personal data it held and the telco's size and risk profile. Optus is Australia's second-biggest wireless carrier by market share.
The carrier didn't comment Friday.
The AIC launched an investigation after a 2022 cyberattack. Personal data stolen included names, dates of birth, phone numbers and government-related identifications such as passport numbers, it said.
Under Australian law, the AIC can seek a civil penalty order from the Federal Court in cases where an organization is alleged to have engaged in serious or repeated privacy breaches, the office noted. The court can impose penalties of up to AU$2.22 million for each violation, and the commissioner has alleged one breach for each of the 9.5 million people affected.
In the French breach, Bouygues said in its announcement that it notified CNIL, the country's data protection authority. The regulator posted advice Friday about dealing with data leaks and IBAN thefts. The telecom operator also set up an information website for customers. It said bank card numbers and passwords for accounts weren't affected, adding that it resolved the situation quickly and is contacting customers.
CNIL urged customers to monitor their bank account transactions regularly and refuse a transaction if necessary. Customers who believe they have been victims of identity theft after a data breach notification should follow government advice, notify their bank and file a police complaint as soon as possible, the regulator said.