100,000 customers sue Optus for failing to protect personal data
Late last year, Optus lost over 10 million customers’ sensitive information to hackers during one of Australia’s most significant data breaches. Public outcry followed Optus’ botched handling before and after the data breach, leading to a class action suit by 100,000 former and current Optus customers.
Recall we reported that Optus was hacked around six months ago, leaving millions of customers’ information in the hands of hackers who posted the data online for anyone to see. The hackers later deleted the public post, but the damage was already done.
More concerning was the ease with which the hack took place. And even more concerning is the ongoing nature of such data breaches, which leaves affected customers with the possibility of their information being used at any random time.
Now, with 100,000 customers launching a class action suit against Optus for damages resulting from the data breach, Australians hope this could be a great way of ensuring companies do more to protect and secure their data.
How did Optus get hacked?
Securing data is a full-time job. As a result, companies put together departments specifically for securing customer data and staff them with cybersecurity experts. While this is every customer’s expectation, it doesn’t always translate to the company sticking to best practices.
Whether or not Optus was culpable in the data breach is now a question for the courts to decide. However, you can draw your conclusion based on what led to the successful hack.
In a previous article about the Optus data breach, we pointed out the threefold loopholes that led to the hack. Here’s a recap:
- Optus API was left open, which isn’t rare. But while leaving an API open doesn’t always present a problem, it did in this case.
- That’s because leaving the API open exposed sensitive data like passwords, addresses, and names.
- And most importantly, the data had customer identifiers. This is also common, but while such identifiers are typically random, they were not in this case. Optus assigned sequential numbers as identifiers, leaving them easy to decode. For instance, if you were customer number 1234, whoever signed up after you was number 1235 – a very predictable customer number.
The breach was a significant eye-opener for how easy it is for your data to be exposed while in the custody of companies you patronise. The lost data includes customer names, dates of birth, email addresses, driver’s license numbers, medicare cards, and passport details. But according to Optus, bank account details were not compromised. Our article on the incident stated that Optus failed to meet its security duties to its customers, and now that conclusion is the basis for the class action lawsuit.
What you need to know about the class action lawsuit against Optus
Law firm Slater and Gordon have filed a class action lawsuit against Optus on behalf of 100,000 Australians, alleging that the telco had a duty of care to protect its customers from harm, and they failed to do so. The suit also alleges that Optus breached consumer and telecommunications law. The affected customers include current Optus customers and former users whose information was still in Optus’ possession.
Ben Hardick of Slater and Gordon stated that releasing personal information resulting from the data breach has caused “great anxiety” for Optus users. He said that people working in “frontline occupations”, such as police officers, are now in danger of being found through the leak of personal information. “And, so, this class action is about seeking redress for the potentially millions of Australians who have been affected by this data breach,” he said.
One of the lead plaintiffs in the class action suit, a Victorian man, described the effects of the breach, stating that it left him feeling “vulnerable, exposed, and worried. He claims he has noticed an increase in phishing and other scams since the breach occurred, and stated: “It feels like only a matter of time before I get scammed or defrauded, which is a constant worry that I didn’t have before I was let down by Optus.”
Another plaintiff, Kate, a former customer who has asked to remain anonymous, stated that the released information stemming from the breach has left her and her children exposed after being a victim of domestic violence in the past. Ms Kate said, “I’ve spent every day basically anxious, just wondering if my details were going to fall into the wrong hands.”
A clear thread runs through these complaints, and it is the ongoing nature of exposure stemming from such significant data breaches. While customers might take steps after the fact to change compromised data like driver’s licences and passports, their details remain the same, leaving them exposed continuously to whoever decides to access such released data. This concern has caused anxiety for affected Optus customers, and rightfully so.
How has Optus responded to the data breach and now the lawsuit?
Within a month of the data breach, Optus lost 10 per cent of its existing customers, while an additional 56 per cent were looking elsewhere for new SIM plans. To their credit, Optus didn’t sit completely idle – the telco set aside $140 million for affected customers.
However, while $140 million sounds commendable, one must consider that 10 million former and current customers were affected. That means Optus expected each affected customer to be satisfied with a $14 compensation. Unfortunately for Optus, the latest class action suit indicates that 100,000 customers believe that $14 is not nearly enough.
After the data breach, Optus also sought a review of their practices by global security firm Deloitte to ascertain how the hackers were able to penetrate their system. The partnership also aims to strengthen data security. The telco also pledged to share whatever they learn to prevent further hacks on other telcos; implement helpful tools in their app; offer credit and ID monitoring o customers; create better digital identifiers; and; educate people on how to avoid similar hacks.
While these moves can be viewed as attempting to right an obvious wrong, Optus is not admitting to human error or culpability. In fact, the telco has vowed to defend itself in court “vigorously”.
Final words
Data breaches have become more frequent, and the resulting damages linger for years after the fact. Affected consumers have to live with the possibility of bad actors using their data to commit fraud and other scams, leaving them as virtual sitting ducks. The severity of a data breach of any scale cannot be ignored – it is a daunting event regardless of the company involved.
In Optus’ case, the data breach left 10 million customers exposed. And many have criticised Optus for not doing enough to secure the breached data and for fumbling the ball after the fact. The telco has been criticised by the government and several independent review bodies, and in October of last year, the ACCC threatened to sue Optus for $2.2 million.
But how do you get such a large company to take its duty to protect your data more seriously? Is government scolding and intervention after the fact enough? Or should the affected customers themselves take action? Companies typically do the right thing whenever their bottom line is concerned. A class action suit is a great tool to target said bottom line and compel Optus to take cybersecurity more seriously.