20.5k unique visitors in the last 3 days

Optus Data Breach Caused Surge in Complaints for Ombudsman, but Not as Many as You Might Expect

10 million Australians were affected but the breach prompted fewer complaints than other common causes of dissatisfaction.

It is not surprising that the latest annual report from Australia’s Telecoms Industry Ombudsman (TIO) frequently mentions the Optus data breach which affected almost 10 million Australians. The breach occurred in September 2022 whilst the Ombudsman’s report covers complaints received from consumers between July 2022 and June 2023. But contrary to how most commentators will choose to interpret the statistics, the number of complaints demonstrates that phone users care surprisingly little about privacy breaches. Let me illustrate by using statistics from the TIO report to make the argument both for and against.

Reasons to believe consumers care deeply about privacy breaches

  • There were 30 percent more complaints and 67 percent more enquiries about Optus than last year.
  • TIO had to develop new processes to cope with the volume of complaints received between October and December 2022.
  • There was a 376 percent increase in complaints about unauthorised disclosure of personal information.

Reasons to believe concern about privacy breaches is exaggerated

  • Unauthorised disclosure of personal information still only ranked as the fifth-highest reason to complain about mobile services. The 7.4 percent of complaints that fell into this category remained well behind the 58.0 percent of complaints about comms providers taking no action or delayed action to resolve an issue, and the 31.6 percent of complaints about fees. More people complained about poor mobile coverage than their personal data being breached.
  • The 26,837 complaints about market leader Telstra was still significantly above the 20,323 complaints about Optus, who have the second-largest market share.
  • Some complaints prompted by the Optus breach fell into other categories, such as a desire to terminate contracts early without penalty. However, a total of 2,355 complaints about unauthorized privacy disclosures across all Australian telcos is tiny compared to the 9.8 million people whose data was breached by Optus.

Optus’ privacy breach definitely cost them money and caused some embarrassment. Politicians castigated Optus. Parent company Singtel made an AUD140mn (USD88mn) provision in their accounts to cover exceptional costs relating to the breach and the mop-up operation which followed. But Optus CEO Kelly Bayer Rosmarin remains in her role despite the flagrant way she tried to mislead the public about the seriousness of the breach and its causes when it first became public. This executive appears to be unsackable despite Optus suffering another nationwide humiliation more recently, as a botched software upgrade is thought to have been the cause of their entire mobile and broadband network collapsing for 14 hours.

A consumer survey conducted soon after the breach implied that 10 percent of Optus customers churned as a result. This proved to be hogwash. Optus revenues and EBITDA for the financial year remained robust. Rosmarin was so busy crowing about the year end figures when they came out that she made no mention of any impact caused by the breach. A few weeks later she chose to avoid reporters who wanted an explanation for Optus’ massive outage. If you want to know why I scorn the quality of many telco executives then consider that this particular CEO did not even cancel a photoshoot to show off the renovation of her fancy AUD15mn (USD10mn) home that was scheduled for the same day as her 10 million customers were disconnected from all their comms services. Her husband, who was previously a bank executive, rationalized that the network crash had also been ‘hell’ for his wife, and shrugged it off by pretending a recurring pattern of failure is “the problem with big organisations and modern technology”. Let us hope that Rosmarin’s reputed AUD5mn (USD3.2mn) annual salary provides adequate compensation for the ‘hell’ she keeps going through despite many calls for her to resign.

Professional risk managers may want the public to care about privacy. You and I may want the public to care about privacy just because we worry about our own data being abused. But we need to draw a different conclusion from the Optus fiasco. Even when a telco has massive amounts of identity data about more than a third of a country’s population, and they then allow a huge breach to occur because of woeful security failings, with the result that many people needed to change their ID documents and politicians openly lambasted the telco’s CEO, the long-term impact on profitability is still negligible. That is not good news for anyone seeking to motivate improvements in data protection and in security more generally. But we must accept that the public is not going to motivate improvements because they do not punish companies for taking insufficient care with their data. The public expects executives and their companies to do a lousy job, and they get companies run by executives who behave accordingly.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email