Optus slapped with $1.5m fine for public safety breaches
Optus Mobile has been fined $1.5 million by the Australian Communications and Media Authority (ACMA) for significant breaches of public safety rules.
The penalty comes as Privacy Commissioner investigations continue into its massive data breach as well as Senate Inquiry into its failure to provide customers with emergency service access during the 14-hour network outage across the country last November.
The telecommunications giant failed to upload required customer information to the Integrated Public Number Database (IPND) between January 2021 and September 2023, leaving nearly 200,000 mobile customers at risk. These customers were supplied under the Coles Mobile and Catch Connect brands.
The IPND is utilised by critical services such as the Emergency Alert service and Triple Zero to provide location information to police, ambulance, and fire brigade in emergencies.
“When emergency services are hindered there can be very serious consequences for the safety of Australians. While we are not aware of anyone being directly harmed due to the non-compliance in this case, it’s alarming that Optus placed so many customers in this position for so long,” ACMA member Samantha Yorke stated.
The investigation began after a compliance audit indicated Optus had failed to upload data via its outsourced supplier, Prvdr Pty Ltd. Optus has been directed to comply with the IPND industry code and has accepted a court-enforceable undertaking that requires an independent review of its IPND compliance where it uses a third-party data provider.
It also comes after it was revealed nearly 2700 customers tried to access emergency services via 000 during the November 14-hour network outage, a number 10 times higher than first stated by former Optus CEO, Kelly Rosmarin, to a Senate Inquiry launched into situation. The Australian Communications and Media Authority (ACMA), requires telcos to check on people who have tried to call emergency services during network outages but fail to get through. While Optus said it had conducted welfare checks on the initial 228 callers identified as trying to access 000, it has since admitted it did not check on the other 2450.
“Optus cannot outsource its obligations, even if part of the process is being undertaken by a third party,” Yorke emphasised. “All telcos need to have systems in place that ensure they are meeting their obligations, including having robust oversight and assurance processes for third-party suppliers.”
If Optus fails to comply with the direction or the enforceable undertaking, ACMA may commence proceedings in the Federal Court, which can order penalties up to $10 million per breach.
Over the past 18 months, ACMA has taken action against five telcos for IPND breaches, with financial penalties totalling more than $2 million.