ARN

Optus faces potential class action over data breach

Law firm Slater and Gordon claims this could be Australia’s “most serious” data breach case ever.

Law firm Slater and Gordon is investigating a potential class action case against Optus for its data breach that could affect up to 9.8 million current and former customers in the “worst case scenario”.

The firm claimed that the consequences of the breach could be “significant” even though Optus has yet to confirm the full extent of the data loss. 

In the data breach, the stolen information included identification items such as licence numbers and passport numbers, as well as customers’ names, dates of birth, phone numbers and email addresses.

Slater and Gordon class actions senior associate Ben Zocco said this could be Australia’s “most serious” data breach case ever in terms of the number of people affected and the nature of the disclosed information.

Ben Zocco (Slater and Gordon)Credit: Supplied
Ben Zocco (Slater and Gordon)

“We consider that the consequences could be particularly serious for vulnerable members of society, such as domestic violence survivors, victims of stalking and other threatening behaviour and people who are seeking or have previously sought asylum in Australia,” he said.

“Given the type of information that has been reportedly disclosed, these people can’t simply heed Optus’ advice to be on the lookout for scam emails and text messages. Very real risks are created by the disclosure of their personally identifiable information, such as addresses and phone numbers. 

“For other affected customers, the impact may be less serious. However, the fact that some customers appear to have had identification information such as [driver's licences] and passport numbers disclosed is extremely concerning. This information alone would go a long way in allowing a criminal to steal an affected customer’s identity.”

The class action comes days after Optus confirmed its recent data breach is subject to a “criminal investigation”, with up to 9.8 million customers potentially affected.

Optus CEO Kelly Bayer Rosmarin downplayed the number of affected customers in a media conference held on 23 September, saying it was smaller than the “worst case scenario” of 9.8 million but was unable to determine the actual figure.

In an update on 26 September, the telco said it would offer its “most affected” current and former customers the option of a 12-month subscription to credit reporting agency Equifax’s Protect product for free, which claims to offer credit monitoring and identity protection services to reduce the risk of identity theft.

This offering will be provided by Optus via direct communication from the telco, with it stressing that any communications in relation to the breach will not include links, as “we recognise there are criminals who will be using this incident to conduct phishing scams”.

If filed, this would be the latest class action the telco has faced in recent years over a data breach, with it previously facing a class action in April 2020 over an alleged breach that saw roughly 50,000 customers’ details leaked to White Pages.

In that case, however, the data was allegedly leaked by Optus itself.