Optus loses court battle to keep Deloitte cyberattack secret

Optus loses court battle to keep Deloitte cyberattack secret


Optus announced on October 3, 2022 that it was hiring Deloitte to do an independent external review – recommended by Ms Bayer Rosmarin – to understand how the attack occurred, and said it could “help others in the private and public sector where sensitive data is held.”

“I am committed to rebuilding trust with our customers and this important process will assist those efforts,” Ms Bayer Rosmarin said in the press release. The Deloitte report was given to Optus on July 13.

But the telecoms group, which is owned by Singapore’s Singtel, said in August that it intended to keep the completed Deloitte report confidential.

Legal claim doubted

And it made a claim for legal professional privilege – which protects confidential communications and documents between a lawyer and a client in some circumstances – in the Slater & Gordon class action.

However, Optus failed to convince Justice Beach that its main purpose in retaining Deloitte and Ashurst was to get legal advice. “Channelling material through lawyers or having lawyers make the retainer, belatedly, cannot cloak material with any privilege that it did not otherwise have,” the judgment said.

Justice Beach said the October 3, 2022 Optus announcement did not state that the Deloitte review was being recommended by a lawyer or being done for legal purposes, and that Ms Bayer Rosmarin’s comments showed the dominant purpose in her mind was not “a defensive legal or litigation strategy”.

He also said a letter to customers that Optus subsequently published on its website on October 25, 2022 was “what I would describe as a marketing document”.

The letter said Optus was “committed to learning, doing better in the future, and sharing lessons so all companies and all Australians can benefit from our terrible experience”.

“This is hardly the stuff of a report being prepared or used predominantly for legal advice or a litigation report,” the judgment said.

Justice Beach described some of the claims made by Optus general counsel Nicholes Kusalic in arguing the telco group’s case as “vague”, and said some of his evidence was “superficial”.

Optus said it was considering the decision in more detail “and what further action Optus will take to protect the contents of the report”.

Ben Hardwick, group leader of class actions for Slater & Gordon, said the judgment showed the report was not produced for the dominant purpose of seeking legal advice and that an appeal by Optus would be disappointing for the telco group’s customers.

“It’s often the case that corporate Australia attempts to stand behind their lawyers and claim privilege,” he said.

But Mr Hardwick said that the court ruling would benefit consumers when companies come out with a “public relations facade that they’re going to get to the bottom of what took place for the benefit of their customers”, because it would be harder for them to later turn around and claim privilege.

Class action

If Optus loses an appeal, and Slater & Gordon obtains the Deloitte report, it will not be publicly released. But it will become a key document in the class action that the law firm is leading, and some of the material in the report could become public through the legal proceedings.

Ms Bayer Rosmarin is understood to have become emotional on Friday at the company’s weekly “Thank God it’s Friday” briefing to all staff after a tumultuous week where her suitability to keep running the company has been questioned.

One senior communications and risk management adviser said the widespread criticism of Ms Bayer Rosmarin would be taking a huge personal toll, but noted that she appeared to have a “tin ear” and had “lost the audience” by failing to respond more promptly to the outage. “No one will listen to her now,” the adviser said.

Another former chief communications adviser to blue chip Australian companies said Optus “waited too long and let the story get away” before publicly addressing the outage, and that it did not appear to have learned the basics of crisis management from the 2022 cyberattack.

Inquiries ahead

Singtel did not respond to a request from comment on whether Ms Bayer Rosmarin had the support of the Singaporean group’s board, which has been in Sydney this week.

Ms Bayer Rosmarin will be summoned before an inquiry by the Senate’s environment and communications committee, which was called by Greens senator Sarah Hanson-Young. It is expected to kick off in the next two weeks and report in early December. Senators are concerned about Optus’ public accountability and the inquiry will examine compensation offered to customers.

A parliamentary inquiry initiated by Communications Minister Michelle Rowland is still developing its terms of reference.

The Telecommunications Industry Ombudsman is understood to be compiling complaints from Optus customers. Small businesses can claim up to $10,000 in compensation – payable by Optus – if they can prove losses during an outage, while individuals can claim up to $1500.

Optus began emailing apologies and its offer of free extra data to customers on Friday as new research suggested cost-of-living pressures could save the company from a retail customer exodus.

Data from research firm Telsyte on the network-hopping habits of Australian mobile phone users shows consumers tend to change their supplier based on price, rather than network reliability.

Optus sent messages to its disgruntled customers on Friday morning with a free data offer. 

Optus’ offer of 200 gigabytes of extra data at “normal” speeds over one billing cycle is estimated to be worth between nothing and $70, depending on uptake and usage. However, expectations are rising that the company could be hit by costly compensation claims, particularly from its business customers.

Optus was yet to respond to inquiries from The Australian Financial Review about how many customers it had lost since Wednesday, when a major network outage left millions of users unable to access the network for up to 12 hours, and how that compares with a normal week.

But Telsyte’s data gives it cause for optimism. It found one in six mobile users switched service providers last year, and when asked why they changed, by far the most common response – 31 per cent – was that their existing service had been too expensive. In comparison, only 16 per cent cited poor network reliability as a reason to shift.

“The impact [in customer churn] might be higher than Optus’ cyber incident last year, and the higher cost-of-living pressures coupled with price increases could promote higher than usual churn rates across mobile network operators,” Telsyte principal analyst Foad Fadaghi said. “MVNOs will most likely benefit.”

MVNOs, or mobile virtual network operators, are providers that resell services that run on top of the big telcos’ networks. Brands such as Aldi Mobile and Boost Mobile are Telstra MVNOs along with Woolworths’ mobile plans, whereas Amaysim and Coles Mobile are among Optus’.

“The key driver for MVNOs has been price and, despite the outages, Telsyte believes that consumers will be sticky to low-cost services,” Mr Fadaghi said.

Meanwhile, online product comparison website Finder said it experienced a 200 per cent spike in traffic on Wednesday, with customers looking for different mobile plans.

In its messages to customers on Friday morning, titled “We’re very sorry for the outage”, Optus told customers to go to its website and add the extra 200 gigabytes to their plan before the end of the year.

Making it an opt-in offer is likely to reduce the number of customers who take it up, especially as a large percentage of customers don’t use their existing data quotas each month anyway.

The most recent figures from the competition regulator showed most post-paid mobile users use only 14.5 gigabytes each month.

Head of technology, media and telecommunications at law firm Corrs, James North, said plenty of businesses would be considering their rights to transition to another provider and seek compensation for trading losses.

“The Telecommunications Industry Ombudsman has the power to deal with complaints from individual consumers and small businesses regarding service faults, but they must try and resolve the complaint with Optus first,” Mr North said.

“It is important to note that when the TIO assesses a compensation claim, it will consider what steps the customer took to protect their own interests and minimise their losses.”

With Jemima Whyte



Source link