On 8 August 2025, the Australian Information Commissioner (AIC) filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited over the 2022 data breach that exposed the personal information of approximately 9.5 million Australians. The case marks one of the largest privacy enforcement actions in Australia’s history, with potential penalties in the billions.
On 22 September 2022, Optus disclosed a cybersecurity incident in which a threat actor accessed sensitive personal data of millions of customers, past and present. The compromised data included:
- Names, dates of birth, addresses, phone numbers, and email addresses.
- Government identifiers such as passport, driver’s licence, Medicare, and birth certificate numbers.
- Defence and police identification details.
Some of this data was subsequently released on the dark web.
October 2019 – September 2022 – Alleged Failures
According to the AIC, from 17 October 2019 to 20 September 2022, Optus failed to take reasonable steps to protect personal information from misuse, interference, and unauthorised access – breaching the Privacy Act 1988. The regulator alleges Optus’ information security controls were inadequate given its size, the volume of personal data held, and the risks involved.
August 2025 – Federal Court Proceedings
The AIC initiated proceedings alleging one contravention for each affected individual – potentially 9.5 million separate contraventions. Under the law at the time of the breach, each contravention carries a maximum civil penalty of AUD 2.22 million, meaning potential exposure could reach into the trillions if penalties were calculated at the upper limit. However, actual penalties will be determined by the Court.
Official Statements
Australian Information Commissioner Elizabeth Tydd said:
“The commencement of these proceedings confirms that the OAIC will take the action necessary to uphold the rights of the Australian community. Organisations hold personal information within legal requirements and based upon trust.”
Australian Privacy Commissioner Carly Kind highlighted technical and governance failings:
“The Optus data breach highlights risks associated with external-facing websites and domains, especially when interacting with internal databases, as well as the risks of using third-party providers. Strong data governance and embedded security practices are essential.”
Legal Context
Privacy Act Enforcement
Section 13G of the Privacy Act 1988 allows the AIC to seek Federal Court civil penalties for serious or repeated interferences with privacy.
- Pre-December 2022 maximum per contravention: AUD 2.22 million.
- Post-December 2022 maximum: AUD 50 million (not applicable in this case due to timing).
Nature of Allegations
The OAIC claims Optus:
- Failed to adequately manage cybersecurity and information security risk.
- Did not implement reasonable steps to secure data given its resources and the sensitivity of information.
- Did not sufficiently mitigate the risk of harm to individuals.
Global & Regional Perspective
While the case is centred in Australia, the implications resonate globally. Telecommunications providers in the Middle East & Africa — many of which hold comparable volumes of sensitive citizen data — face similar obligations under local privacy laws and could face parallel enforcement if breaches occur. The enforcement action signals to global operators that regulators are increasingly willing to pursue large-scale penalties for systemic failures in data protection.
Actionable Takeaways for CISOs and Executives
- Assign clear ownership for internet-facing domains and systems.
- Verify authorisation for all customer data access requests.
- Layer security controls to prevent single points of failure.
- Implement robust monitoring to detect and respond to vulnerabilities quickly.
- Resource privacy and security services adequately, including oversight of third-party providers.
- Regularly review and test critical and sensitive infrastructure security.
- Enforce strong authentication for systems holding sensitive information.
- Encrypt personal data in transit and at rest.
- Conduct awareness and training for staff on data protection obligations.
- Document and audit privacy compliance measures for accountability.
Conclusion
The Optus proceedings mark a pivotal moment in Australia’s privacy enforcement landscape, reinforcing that regulators will hold organisations accountable for large-scale failures to safeguard personal data. The case underscores the business, legal, and reputational risks of inadequate cybersecurity governance. With global regulators aligning toward tougher sanctions, proactive compliance is no longer optional it’s a core operational imperative.
