Telecom giant Optus has been ordered to hand over a secret report detailing exactly how the private data of millions of customers was stolen by hackers.
Optus engaged professional services network Deloitte to conduct an investigation into the company shortly after the massive data breach between September 17 and 20, 2022.
Nearly 10 million customers had their personal data, such as passports, driver’s licenses and telephone numbers, stolen during the hack.
The company appealed to the Federal Court on Monday against an earlier decision by Judge Jonathan Beach requiring them to release the document.
A full bench of Federal Court judges – Bernard Murphy, Stewart Anderson and Penelope Neskovicin – unanimously upheld the order on Monday.
Optus has now twice failed to prove that the report was primarily for legal purposes and must now submit the document as evidence in a class action brought by customers affected by the hack.
Telecom giant Optus has been ordered by the Federal Court to tender a top secret report from Deloitte into a massive data breach in September 2022 (stock image)
The Federal Court found that Optus’ appeal had also not proven that the report was written for other reasons.
The court quoted a press release from then CEO Kelly Bayer Rosmarin.
Ms Bayer Rosmarin said in October 2022 that the report would ‘play a crucial role in the response to the incident for Optus as it works to support customers’.
“While our overwhelming focus remains on protecting our customers and minimizing the harm that could result from the theft of their information, we are committed to finding out what went wrong.
‘This review will ensure we understand how it happened and how we can prevent it from happening again.
It will assist Optus in its response to the incident.”
She added that Deloitte’s report was an “important process” to “restore trust with our clients.”
Optus suffered twin catastrophes – the cyber attack and then a 14-hour network outage months later in November – forcing Ms Bayer Rosmarin to step down from her role last year.
Optus barrister Steven Finch, SC, told the court at a hearing in May that it would be difficult to find a press release indicating a legal purpose for a report of this kind.
Mr Finch argued the purpose of the releases is to “calm down”, reports the Australian Business Network.
The Federal Court instead found that the release was “significant to the findings of the primary judges”, which they said were correct.
The breach saw the personal data, such as passports, driver’s licenses and phone numbers, of around 10 million customers stolen during the hack
The cyber attack and a fourteen-hour network outage in November forced then-CEO Kelly Bayer Rosmarin (photo) to resign from her position last year
Optus General Counsel Nicholes Kusalic’s evidence before Judge Beach on why the company was ‘vague’ about the reasoning behind the report was also rejected by the court.
‘Not only did Optus provide no direct evidence from Ms Bayer Rosmarin or any member of the Board of Directors, Mr Kusalic’s evidence did not even provide hearsay evidence, based on information and belief, as to Ms Bayer Rosmarin’s state of mind , or about the state of mind of the board members insofar as he spoke to them,” the judgment said.
‘In our view, the primary judge was correct in finding on the evidence that there were multiple purposes for which the Deloitte report was commissioned.
‘The evidence did not establish that the Deloitte report was obtained for the primary purpose of obtaining legal advice from Optus or for use in legal or regulatory proceedings.’
The judgment found that the Deloitte report was also prepared to identify the root cause of the cyber attack and assess Optus’ management and response to the breach.
Optus is also facing two investigations into the breach by the Office of the Australian Information Commissioner and the Australian Communications and Media Authority.