In September 2022, Australian telecommunications company Optus suffered a data breach that affected up to 10 million current and former customers comprising a third of Australia's population. Information was illegally obtained, including names, dates of birth, home addresses, telephone numbers, email contacts, and numbers of passports and driving licences. Conflicting claims about how the breach happened were made; Optus presented it as a complicated attack on its systems while an Optus insider and the Australian Government said a human error caused a vulnerability in the company's API. A ransom notice asking for A$1,500,000 to stop the data from being sold online was issued. After a few hours, the data thieves deleted the ransom notice and apologised for their actions.
Government figures, including Home Affairs and Cyber Security Minister Clare O'Neil, and Minister for Government Services Bill Shorten, criticised Optus for its role in the attack, and for being uncooperative with government agencies and the public. The government announced legislation, including the allowance of information-sharing with financial services and government agencies, and reforms to Australia's laws on security of critical infrastructure to help the government act in the event of future breaches.[1] In response to the data breach, Optus agreed to pay for the replacements of compromised passports, commissioned an external review, and gave seriously affected customers a subscription to a credit monitoring service. Optus also apologised for the breach. Customers criticized Optus for not being responsive and providing inadequate responses to those affected. As of June 2023, investigations into the breach and a class-action lawsuit from affected customers were ongoing.