Telecommunications giant Optus has been ordered to hand over a secret report on exactly how hackers stole the private information of millions of customers.
Optus hired professional services network Deloitte to conduct a review of the company shortly after the massive data breach between September 17 and 20, 2022.
Nearly 10 million customers had their personal information, such as passports, driver’s licenses and phone numbers, stolen during the attack.
The company was in Federal Court on Monday appealing a previous decision by Judge Jonathan Beach requiring them to pay the document.
A full court of Federal Court judges (Bernard Murphy, Stewart Anderson and Penelope Neskovicin) unanimously confirmed the order on Monday.
Optus has twice failed to prove that the report was primarily for legal purposes and must now present the document as evidence in a class-action lawsuit brought by customers affected by the hack.
The Federal Court ordered telecoms giant Optus to produce a top-secret Deloitte report into a massive data breach in September 2022 (file image)
The Federal Court concluded that Optus’s appeal had also not shown that the report was for other reasons.
The court cited a press release from then-CEO Kelly Bayer Rosmarin.
Bayer Rosmarin said in October 2022 that the report would “play a crucial role in the response to the incident for Optus as it works to support customers.”
‘While our overwhelming focus remains on protecting our customers and minimizing the damage that could result from the theft of their information, we are determined to find out what went wrong.
‘This review will help ensure we understand how it happened and how we can prevent it from happening again.
You will help inform the response to the incident for Optus.
He added that the Deloitte report was an “important process” to “rebuild trust with our clients.”
Optus suffered two catastrophes: the cyberattack and then a 14-hour network outage months later in November, which forced Bayer Rosmarin to resign from its position last year.
Optus’s lawyer, Steven Finch, SC, told the court during a hearing in May that it would be difficult to find a press release indicating a legal purpose for such a report.
Finch argued that the goal of the releases “is to calm,” the Australian Business Network reports.
Instead, the Federal Court ruled that the release was “significant to the trial judges’ conclusions”, which they considered correct.
The breach led to the theft of personal information, such as passport, driver’s license and phone numbers, of around 10 million customers during the attack.
The cyberattack and a 14-hour network outage in November forced then-CEO Kelly Bayer Rosmarin (pictured) to resign from her position last year.
Optus general counsel Nicholes Kusalic’s evidence to Judge Beach about why the company was “vague” about its reasoning behind the report was also rejected by the court.
“Not only did Optus fail to present direct evidence from Ms Bayer Rosmarin or any member of the board, but Mr Kusalic’s evidence did not even provide hearsay evidence, based on information and belief, about Ms Bayer’s mental state.” Rosmarin, or about the state of mind of the members of the board of directors to the extent that he spoke with them,” the ruling reads.
‘In our view, the trial judge was correct in concluding, based on the evidence, that there were multiple purposes for which the Deloitte Report was commissioned.
“The evidence did not establish that the Deloitte Report was acquired for the primary purpose of Optus obtaining legal advice or for use in litigation or regulatory proceedings.”
The ruling determined that the Deloitte report was also obtained to identify the cause of the cyberattack and review Optus’ management and response to the breach.
Optus also faces two investigations into the breach by the Office of the Australian Information Commissioner and the Australian Communications and Media Authority.
