What happened
In September 2022 Optus disclosed that a cyber attack had exposed the personal information of around 9.5 million current and former customers — including, for a subset, government identity-document numbers [oaic-optus]. In August 2025 the Australian Information Commissioner commenced civil penalty proceedings against Optus in the Federal Court, alleging the telco failed to protect customers’ personal information [oaic-optus].
Timeline
- 2022-09 — Optus disclosed the breach; approx 9.5M customers affected [oaic-optus].
- 2025-08 — OAIC commenced civil penalty proceedings in the Federal Court [oaic-optus].
Current status
Before the Federal Court. The allegations are not yet determined — no penalty has been ordered. This record will update as the proceedings progress. [oaic-optus]
Why it matters
The breach drove Australia’s move to higher privacy penalties and put identity-document handling by telcos under scrutiny. Figures and allegations here are as stated by the regulator.