Thousands of Optus customers who had personal details stolen in a cyberattack and leaked on the dark web may never find out how the breach happened after the telecommunications group pleaded “legal professional privilege” to try to stop a report into the hack being released.
Optus appointed consultants Deloitte to review its security systems and do a forensic investigation into the September 2022cyberattack, which led to the personal information of some 10,200 customers – including passport, driver’s licence and Medicare numbers – being posted online.
Optus CEO Kelly Bayer Rosmarin has spoken publicly numerous times about lessons learned from the data breach. Michael Quelch
Chief executive Kelly Bayer Rosmarin said in October that the consultant’s investigation would “play a crucial role” in Optus’ response to the attack and that it might “help others in the private and public sector”.
In March, Ms Rosmarin told The Australian Financial Review’s Business Summit that while the company did not plan to release the full Deloitte report, Optus would share recommendations.
But Optus now says that even though Deloitte has finished the report, it does not currently intend to release any information to Optus customers and the public.
“The report is confidential and the subject of a legal professional privilege claim,” an Optus spokeswoman told The Australian Financial Review.
“Deloitte completed its report into the cyberattack a while ago, but as the matter is currently before the courts and the attack remains the subject of criminal investigation, Optus is making no further comment about the report, which is and remains confidential, as is common precedent.”
The privilege claim has been made in class action proceedings brought
Read more on afr.com