Credit: Optus
Law firm Slater and Gordon has issued proceedings against Optus on behalf of current and former customers whose personal information was compromised in the September data breach.
The data breach saw up to 9.8 million customers affected with the telco placing $140 million aside as an ‘exceptional expense’ towards recovery activities.
The statement of claim, lodged in the Federal Court, accuses Optus of breaching privacy, telecommunication and consumer laws as well as the company’s internal policies.
The claim outlines Optus failed to protect or take reasonable steps to protect customers’ personal information from unauthorised access or disclosure; failed to destroy or de-identify former customers’ personal information, and failed to ensure that only those who had a legitimate reason for having access to customers’ personal information could access it.
Optus has also been accused in the class action of breaching contractual obligations to customers along with its duty of care to ensure customers did not suffer harm arising from the unauthorised access or disclosure of their personal information.
It is claimed such harm was reasonably foreseeable if customer data was compromised.
Group members are seeking compensation for losses the data breach caused, including time and money spent replacing identity documents in addition to other measures to protect their privacy and prevent the increased likelihood of them falling victim to scams and identity theft.
They are also seeking damages for non-economic losses such as distress, frustration and disappointment.
Slater and Gordon class action practice group leader, Ben Hardwick said more than 100,000 of Optus’s current and former customers had so far registered for the class action.
“Very real risks were created by the disclosure of this private information that Optus customers had every right to believe was securely protected by their telecommunications and internet provider,” Hardwick said.
“Concerningly, the data breach has also potentially jeopardised the safety of a large number of particularly vulnerable groups of Optus customers, such as victims of domestic violence, stalking and other crimes, as well as those working in frontline occupations including the defence force and policing."
The lead applicant, who does not want his name disclosed out of fear he will be targeted by other cyber criminals or scammers, said that he had been left feeling “vulnerable, exposed and worried” after learning his personal information had been compromised.
“Not knowing what still might happen as a result of having my information accessed and by whom haunts me,” the Victorian man said.
“I had to make a lot of calls and do a lot of running around in the aftermath of this breach to make sure my bank account and other accounts hadn’t been compromised, and I noticed I was being targeted by phishing and other scams a lot more frequently.”
The second lead applicant, who also does not want to be named to prevent further privacy or data security compromises, was one of the many thousands of affected Optus customers whose ID documents had to be subsequently replaced.
“It was incredibly stressful trying to get answers from Optus about what information had been exposed and then taking action to rectify the damage so I could try to stop anything else from happening,” the Queensland woman said.
“I spent a lot of time changing passwords to all of my accounts, have been constantly checking that money hasn’t been stolen, and making sure I’ve done everything I can to protect myself. One of the worst aspects of all this was the fact that I had no control over what had happened, so it’s been pretty overwhelming.”
Hardwick said many of the affected customers had expressed frustration about Optus’s delays in providing detailed information about the privacy breach and inconsistencies with how the telco was treating one affected customer to the next.
“Some registrants have told us they were fobbed off when they sought information from Optus about exactly what data had been exposed, and others have informed us that Optus refused to pay for credit monitoring services on the basis they were no longer Optus customers,” he said.
“There appears to have been a piecemeal response from Optus, rather than a coordinated approach that made sure everyone whose data was compromised is treated the same.
“Any suggestion that affected customers have not suffered as a result of this data breach is like rubbing salt into the wounds of those who have lived it and are continuing to deal with the fallout.”
