Further investigations are being launched into the Optus cyber attack that affected millions of customers last month.
Key points:
- The information commissioner and the communications and media authority have launched inquiries
- The investigations will look at whether Optus breached its obligations under the law and to customers
- Neither body has indicated how long the inquiries will take
As a telecommunications provider, Optus has obligations around the retention, disposal and protection of personal information.
The Office of the Australian Information Commissioner (OAIC) has launched an investigation that will look at the company's handling of customers' data.
The remit of the investigation was outlined in a statement from the OAIC on Tuesday.
"The OAIC's investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business," the statement said.
"The investigation will also consider whether the Optus companies took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs), including enabling them to deal with related inquiries or complaints."
Depending on the findings of the inquiry, Optus could be required to provide redress for any loss or damage caused to customers or pay civil penalties that could run into the millions.
Multiple investigations now underway
The OAIC will also work with the Australian Communications and Media Authority (ACMA) which has also launched an investigation.
ACMA Chair Nerida O'Loughlin said her enquiry will focus on whether Optus breached its obligations.
"When customers entrust their personal information to their telecommunications provider, they rightly expect that information will be properly safeguarded. Failure to do this has significant consequences for all involved," she said in a statement.
"All telcos have obligations regarding how they acquire, retain, protect and dispose of the personal information of their customers.
"A key focus for the ACMA will be Optus's compliance with these obligations."
The findings of ACMA's investigation will be made public once completed.
Neither body has indicated how long the inquiries will take and follow investigations launched by federal police.
Flooding of scam concerns
Australia's consumer watchdog has been flooded with reports of scams following the data breach.
The Australian Competition and Consumer Commission (ACCC) said they had received about 600 reports a day since September 22.
The reports have been collected through the ACCC's Scamwatch, which encourages members of the public to report scams.
ACCC Chair Gina Cass-Gottlieb said in a lot of cases, scammers had taken advantage of the data breach and pretended to be Optus to steal money.
Some Australians have been contacted by people claiming to be from Optus or MyGov.
And while Ms Cass-Gottlieb said there had been a "small number" of losses to scammers, people appeared to be more alert to scams.
However she said one of the reasons there had been a high number of reports was because of a lack of information about what was going on.
"The message we are getting from these reports is that consumers are confused about the information they are receiving or not receiving from Optus," she said.
"They are anxious.
"They don't feel they know sufficiently what it is that is the impact on them, and the risks that they face."