🔒breach.co.nz · the NZ & Australia breach register 🛡️ A Govern service
Register › 🇦🇺 AU › Telco

Optus

🇦🇺 Sydney, NSW · Optus (Singtel Optus Pty Ltd) · Record AU-2022-0212
● Confirmed
People affected
9,500,000 (approx)
Breach date
2022-09
Regulator
OAIC
Trust tier
A · Confirmed

Data exposed

Names, dates of birth, phone numbers, email addresses Media-reported
Driver licence, passport and Medicare numbers (subset of customers) Media-reported

Confidence: Confirmed = regulator/court · Company-confirmed = the organisation's own disclosure · Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In September 2022 Optus disclosed that a cyber attack had exposed the personal information of around 9.5 million current and former customers — including, for a subset, government identity-document numbers [oaic-optus]. In August 2025 the Australian Information Commissioner commenced civil penalty proceedings against Optus in the Federal Court, alleging the telco failed to protect customers’ personal information [oaic-optus].

Timeline

  • 2022-09 — Optus disclosed the breach; approx 9.5M customers affected [oaic-optus].
  • 2025-08 — OAIC commenced civil penalty proceedings in the Federal Court [oaic-optus].

Current status

Before the Federal Court. The allegations are not yet determined — no penalty has been ordered. This record will update as the proceedings progress. [oaic-optus]

Why it matters

The breach drove Australia’s move to higher privacy penalties and put identity-document handling by telcos under scrutiny. Figures and allegations here are as stated by the regulator.