The Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority has launched investigations into Singtel subsidiary Optus’ massive data breach in September.
It's thought roughly 2.8 million Optus customers had their personal data exposed in the attack, but the number could be as high as 9.8 million.
The OAIC said its investigation will concentrate on whether Optus took reasonable steps to protect the personal information from “misuse, interference, loss, unauthorised access, modification or disclosure”.
It will also look into if the telco’s data collection practices were necessary to carry out its business, and if it implemented best practices in line with the Australian Privacy Principles (APPs), which provide standards for collecting and storing personal data.
Once the investigation has been finalised, information and privacy commissioner Angelene Falk may determine whether Optus will need to take steps to reimburse any damage.
Optus could be required to pay civil penalties through the Federal Court of up to $2.2 million for each contravention of the APPs.
Falk warned Australian companies that “collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk. Only collect what is reasonably necessary.”
The OAIC will coordinate its investigation with the Australian Communications and Media Authority (ACMA).
Falk said the investigative partnership set a positive example of regulatory cooperation, leading to better governing standards.
The ACMA’s own formal investigation will look into Optus’ obligations as a telecommunications service provider.
The media authority said its “investigation will take some time” with findings to be made public once completed.
As well as working with OAIC, it will coordinate with the Department of Home Affairs “to ensure effective information-sharing across the respective jurisdictional investigations.”
ACMA chair Nerida O’Loughlin said customers “rightly expect that information will be properly safeguarded” when entrusting their personal information.
“All telcos have obligations regarding how they acquire, retain, protect and dispose of the personal information of their customers. A key focus for the ACMA will be Optus’ compliance with these obligations.
“We look forward to full cooperation from Optus in this investigation.”