Optus faces the mother-of-all data breach class actions

By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Dadar Ahmadi-Pirshahid

The data breach that affected 9.8 million Australians and resulted in the personal information of 10,000 Optus customers being exposed on the dark web in September last year will be litigated in a class action lawsuit filed last Friday (21 April) in the Federal Court of Australia.

The allegations made against Optus include that the telecommunications company breached its contract with and duty of care towards Optus customers, that Optus breached the Australian Consumer Law and that Optus breached the Australian Privacy Principles under the Privacy Act 1988 (“Privacy Act”).

The class is broad, including “[a]ll former and current Optus customers whose information was compromised in the September 2022 data breach”, which means that the potential liability in dispute is quite substantial.

While businesses might demonstrate reasonable steps were taken to protect data, many like Optus will struggle to explain why they had retained so much data. It would seem that it is a rare thing for organisations to have a proper process in place to regularly review and action data that is no longer required. 

Without regular hygiene, personal information holdings can grow out to mother lode proportions, and the last thing Australia needs is a data breach gold rush.