Former and current customers whose personal information including key identity documents was compromised during the Optus data breach have launched a lawsuit against the telco.
The suit filed by class action law firm Slater and Gordon and representing 100,000 people accuses Optus of breaching privacy, telecommunication and consumer laws as well as the company’s internal policies.
The Singapore-owned telco breached its duty of care to ensure customers did not suffer harm arising from the unauthorised access or disclosure of their personal information, did not take reasonable steps to protect customer information and failed to destroy or de-identify former customers’ personal information, the lawsuit alleges.
Almost 10 million Optus customers had their personal information stolen during last year’s breach, including passport, licence and Medicare details.
“The type of information made accessible put affected customers at a higher risk of being scammed and having their identities stolen, and Optus should have had adequate measures in place to prevent that,” Slater and Gordon class actions practice group leader Ben Hardwick said on Friday.
“Concerningly, the data breach has also potentially jeopardised the safety of a large number of particularly vulnerable groups of Optus customers, such as victims of domestic violence, stalking and other crimes, as well as those working in frontline occupations including the defence force and policing.”
About 20 terabytes of data were improperly accessed including current and former customers’ names, dates of birth, phone numbers and email addresses
A subset of the 9.8 million affected customers also had their addresses and identity document numbers compromised.
The data breach was the first of a wave of leaks and hacks last September and October that hit major Australian corporations including Medibank Private, EnergyAustralia and Woolworths.
Information from 10,200 customers was exposed publicly during ransom demands, but no customer had suffered any financial loss or fallen victim to a crime through misuse of the data, chief executive Kelly Bayer Rosmarin said last month.
The telco also offered customers free access to identity theft monitoring.
Among the 100,000 people who registered for the class action is a domestic violence victim who spent money intended for counselling for her children on increasing security measures around the house, and a retired police officer concerned his home address may have been shared with criminals he’d put away.
Victims of burglary, stalking and scam calls also signed up after being concerned about their future.
“Not knowing what still might happen as a result of having my information accessed and by whom haunts me,” says the lead applicant, whose identity is being kept secret.
“It feels like only a matter of time before I get scammed or defrauded, which is a constant worry that I didn’t have before I was let down by Optus.”
Optus on Friday confirmed it had been advised about the filing of the class action related to “the criminal cyber-attack” against it.
“As indicated previously, Optus will vigorously defend any such proceedings,” a spokesman said.
The breach is being investigated by the Office of the Australian Information Commissioner, Australia’s media watchdog and other agencies.
The Albanese government in February also set up a national cyber security office within the Department of Home Affairs to co-ordinate the national response to major cyber attacks.
By Luke Costin in Sydney