Optus faces OAIC legal action following 2022 data breach

Why it matters: This case is a wake-up call for all Australian businesses holding personal information – the penalties and risk of reputational damage are higher than ever.

On 8 August 2025, the Office of the Australian Information Commissioner (OAIC) commenced civil penalty proceedings in the Federal Court against Optus, one of Australia’s largest telecommunications providers. The case arises from the major data breach reported by Optus in September 2022, and marks a significant step in the enforcement of Australia’s privacy laws. The proceedings signal heightened regulatory expectations for organisations holding large volumes of personal information.

The OAIC alleges that Optus failed to take reasonable steps to protect the personal information of its current, former and prospective customers, in breach of its obligations under the Privacy Act 1988 (Cth) (Privacy Act).

The 2022 breach affected approximately 9.5 million Australians and exposed personal information including names, dates of birth, addresses, phone numbers, and, in some cases, government-issued identification, such as driver’s licence and passport numbers.

Australian Privacy Principle (APP) 11.1 requires regulated entities to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. According to the Australian Information Commissioner, Optus’s failure to meet its APP 11.1 obligations may have left affected individuals vulnerable to identity theft, fraud and cybercrime – risks that could have been mitigated through stronger safeguards.

Under section 13G of the Privacy Act, a serious or repeated interference with privacy can attract significant civil penalties. For breaches that occured before 13 December 2022, the Federal Court may impose penalties of up to $2.22 million per contravention. In the Optus case, the Commissioner alleges a separate contravention for each of the 9.5 million individuals affected, and the ultimate penalty will be determined by the Court.

While Optus already faces significant exposure in these proceedings, if the same breach had occurred today the consequences would potentially be far more severe. Legislative reforms – including the Privacy and Other Legislation Amendment Act 2024 (Cth) – have substantially increased maximum penalties and strengthened the OAIC’s enforcement powers.

Key changes include:

• Increased civil penalties: Maximum penalties now reach the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover, with additional mid and lower-tier penalties for less serious or administrative breaches.
• Expanded OAIC enforcement powers: These include compulsory information‑gathering, entry and search of premises, expanded public inquiry powers, the ability to issue compliance notices and accept enforceable undertakings, and require remedial actions. The OAIC may also share information with other regulators and publish enforcement outcomes.
• New statutory tort for serious invasions of privacy: Commencing 10 June 2025, this new cause of action allows individuals to sue directly for intentional or reckless intrusions upon seclusion or misuse of information where there is a reasonable expectation of privacy and the invasion is serious. Damages may be awarded (including for emotional distress) without needing to prove actual loss, provided the breach was intentional or reckless and not merely negligent.

The Optus proceedings serve as a timely reminder for businesses of the increasing regulatory scrutiny on compliance with Australia’s privacy laws.

Businesses should keep the following considerations front of mind:

• Conduct regular data security reviews: Security measures should focus on systems holding sensitive or large volumes of personal information, with regular reviews to prevent unauthorised transfer or loss.
• Assign clear privacy governance roles: Appoint responsible roles or teams with clear accountability for privacy compliance, supported with adequate resources and training.
• Strengthen third-party risk management: Monitor and manage privacy risks associated with third-party services or solutions – particularly where contractors handle sensitive or large-scale personal information.
• Test incident response preparedness: Maintain effective data breach monitoring, incident response and notification procedures, and ensure staff are trained to take timely and appropriate action in the event of a breach.

The civil proceedings against Optus underscore the escalating consequences of inadequate privacy protections. Since the 2022 breach, the regulatory environment for privacy in Australia has become significantly more stringent – with higher penalties, broader enforcement powers for the OAIC and increased rights for individuals.

Businesses should adopt a proactive approach to privacy compliance, embedding privacy and security into all aspects of their operations. Early investment in these areas not only reduces legal and financial exposure but also strengthens public trust and enhances corporate reputation with consumers.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

DMAW Lawyers has you covered when it comes to identifying your legal obligations, assessing risk and exposure, and putting in place strategies to manage legal risks and meet regulatory obligations, whether that be:

• digital information security obligations and protections in supply chain contracts;
• privacy, data breach assessment, incident response and notification laws;
• on-boarding and off-boarding processes; or
• fit for purpose employment contracts and digital security and AI policies.

Find out more about how our cyber and information security legal experts can assist your business.