Governance & Risk Management
,
Incident & Breach Response
,
Legislation & Litigation
Class Action Law Firms Seek Access to Commissioned Deloitte Report Into Mega-Breach
The Federal Court of Australia has rejected a request from telecommunications giant Optus to keep private a detailed forensic investigation report into a massive data breach it suffered in 2022. The breach exposed private and confidential information pertaining to up to 9.8 million Optus customers.
See Also: On Demand | 2024 Report Findings: Security & Productivity in the Age of AI
Australia’s top court delivered that verdict Monday. In doing so, the court rejected an appeal by Optus, which sought to throw out a lower court ruling from last November that found the company couldn’t claim legal professional privilege to keep secret the details of an external investigation into the breach it commissioned Deloitte to conduct.
To claim legal privilege, the court ruled, Optus would have had to prove – beyond a doubt – that it commissioned Deloitte to conduct the in-depth investigation into the serious security incident purely for legal advice, as well as to allow itself to defend against future regulatory investigations or litigation lodged by, or on behalf of, affected customers.
Optus announced in September 2022 that attackers breached its systems, stealing sensitive information pertaining to nearly 10 million current and former customers. Exposed data included names, birthdates, phone numbers, email addresses and for a subset of customers, their addresses and ID document information, such as driver’s license and passport numbers.
The next month, the company said it engaged international professional services firm Deloitte “to conduct an independent external review of the recent cyberattack, and its security systems, controls and processes.”
In its ruling this week, Australia’s highest court referenced statements made by Optus CEO Bayer Rosmarin in 2022, after commissioning the investigation. The CEO said it would enable Optus to respond effectively to the security incident, minimize harm to customers whose data was stolen accessed, and helps the organization know what next steps to take to prevent such an incident from occurring again.
“While our overwhelming focus remains on protecting our customers and minimizing the harm that might come from the theft of their information, we are determined to find out what went wrong,” Rosmarin said at the time. “I am committed to rebuilding trust with our customers and this important process will assist those efforts.”
Both the federal court and lower court, referencing Optus’ press release and Rosmarin’s statement, concluded that at no stage did the company state that it commissioned the external digital forensic assessment into the attack primarily to defend itself from future litigation or regulatory probes.
Even if the company had multiple reasons to commission the investigation, the court said no evidence suggested any “legal purpose” dominated all of Optus’ other considerations. The courts also said they could find no reference to any such legal purpose in letters exchanged between the Optus’ board of directors and the company’s secretary, or in any of the company’s public statements following the breach.
Optus Faces Avalanche of Lawsuits
The federal court’s verdict opens the doors to class-action lawyers seeking access to the detailed digital forensic analysis that Deloitte submitted to Optus on July 13, 2023. Leading Australian law firm Slater and Gordon, which in April 2023 filed a class action lawsuit against Optus in the Federal Court of Australia, said the court’s recent decision will force Optus to take responsibility for its actions.
“Despite refusing to accept the umpire’s decision, Optus must now hand over the Deloitte report into how millions of its customers’ private information was accessed as a consequence of the 2022 data breach,” Ben Hardwick, the firm’s class actions practice group leader, told AFR.
“Optus’ efforts to shield this report is indicative of a company that refuses to accept responsibility for its role in what happened, and the significant impact this data breach has had on millions of its Australian customers,” he said.
The telecommunications giant contends that keeping some of the information contained in the Deloitte report secret remains integral to the efficacy of its corporate security program.
“Our priority is ensuring our customers have ongoing confidence in the integrity of our cyber defense systems,” a company spokesperson said. “In this regard, Optus will consider our next steps which may include seeking confidentiality orders relating to elements of the report that we believe are key to the ongoing protection of our customer data and our systems from cybercriminals.”
The Australian Communications and Media Authority last week filed proceedings against Optus in federal court, accusing the company of failing to protect the sensitive customer data stolen in the 2022 breach (see: Australian Telecom Watchdog Sues Optus Over 2022 Data Breach).
Also as a result of the breach, the Office of the Australian Information Commissioner in launched an investigation into Optus’ personal information-handling practices, which has yet to conclude. The regulator said it intended to probe whether the company “took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorized access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business.”
The OAIC said it’s also investigating whether Optus took reasonable steps to comply with the Australian Privacy Principles during and in the aftermath of the security incident.