An Australian law firm on Friday launched a class-action lawsuit against telecommunications giant Optus, seeking compensation for the fallout of a major data breach that occurred in September. 

Filed in the Federal Court of Australia, the lawsuit accuses Optus of violating fundamental privacy principles and breaching its duty of care to its customers. The suit claims that the company “failed to protect, or take reasonable steps to protect, the personal information of its current and former customers.” The plaintiffs are seeking compensation for both economic and non-economic losses, including the expenses and time required to replace identity documents and safeguard their privacy following the cyberattack, as well as damages for distress, frustration, and disappointment.

Litigants are seeking compensation for losses incurred, including the time and money spent replacing identity documents and other measures to protect their privacy following the cyberattack. The lawsuit will also seek damages for non-economic losses, including distress, frustration and disappointment.

The Office of the Australian Information Commissioner commenced an investigation in October 2022 to determine whether Optus breached Australian Privacy Principle 1, the “open and transparent management of personal information”.

Nearly 10 million current and former Optus customers’ personal details were compromised in the breach. Optus notified customers that cybercriminals had accessed personal details, such as customer names, dates of birth, phone numbers and email addresses. Additionally, some customers’ identity documents were accessed, including driver license numbers, proof of age documents, passport details and medicare card numbers. Of those affected, the details of about 10,000 customers’ were released on the dark web.