Introduction
In September 2022, the data of nearly 10 million Optus users was leaked, including passports and driver’s license numbers. Subsequently, the public discussion quickly turned to countermeasures, such as replacing documents and alerting against fraud; the government also urgently revised the law so that victims could replace relevant documents; Optus publicly apologized and promised to improve.
However, behind these remedies, a more fundamental problem is ignored. The key is not “how users protect themselves” or “whether the fine is sufficient”, but why did Optus hold these data in the first place?
As Suzor (2019) pointed out, digital platforms exercise almost absolute power over users through user agreements. The user either accepts all the terms (including unnecessary data collection) or gives up the service. But in reality, the cost of changing communication operators is relatively high, and most users can only passively choose to stay. Therefore, the so-called “consent” is not a real choice.
This article believes that after the Optus data leakage incident, the questions raised by the public themselves are biased. The core should not be how users remedy it, but why enterprises are allowed to collect and retain sensitive data that they do not really need.
What actually happened
In September 2022, Optus, Australia’s second largest telecommunications operator, suffered a large-scale cyber attack. The attacker obtained user data through an unprotected application programming interface (API) (Flew, 2018). The API was originally used for data exchange, but due to the lack of an adequate authentication mechanism, attackers can extract a large amount of sensitive information without cracking the password.
The incident affected about 9.8 million existing and former users, accounting for about one-third of Australia’s population. The accessed data includes name, date of birth, phone number, email address, home address, passport number and driver’s license number (Office of the Australian Information Commissioner [OAIC ], 2025). Some users’ Medicare numbers have also been leaked.
When OAIC officially filed a civil lawsuit against Optus in 2025, it confirmed that some of the stolen information had been published on the dark web (OAIC, 2025), which means that the victim’s sensitive identity information may have been used by criminals for identity theft or financial fraud.
After the attack, Optus once tried to attribute part of the responsibility to users. The company publicly said that “if customers remain vigilant and take appropriate security measures”, the impact of leakage can be mitigated. This statement has provoked widespread criticism because the root of the problem is Optus’ own system vulnerabilities, not user behavior.
In response, the Australian government urgently passed the Telecommunications Legislation Amendment (Identification Verification) Act 2022, so that victims can It is enough to replace the leaked passport or driver’s license through other documents. State and terrial governments have also coordinated to launch fast update services one after another.
Subsequently, Optus issued a public apology statement, promising to strengthen security measures and provide free credit monitoring services for affected users. However, according to the allegations of OAIC (2025), Optus failed to take reasonable measures to protect the personal information it holds, including the failure to destroy sensitive data that is no longer needed in time, and the failure to conduct adequate security tests on the API.
In general, this Optus data breach is not a technically difficult attack, but exposes a more fundamental problem: a telecommunications company holds a large amount of sensitive identity information unrelated to its core business, but fails to provide sufficient security protection. When there are basic vulnerabilities in API, the data of about 9.8 million users is at risk in a short time.
The questions everyone was asking
After the data breach incident occurred, public discussion quickly focused on several directions. The first question the victim asked was: Has my data been leaked? As Optus initially failed to provide clear communication, customers had to guess for themselves whether their information was secure. Federal Minister Tanya Plibersek publicly criticized Optus for its “extreme” lack of communication with customers and the government.
The second widely discussed question is: How can I protect myself? The media have been bombarding users to change their passports and driver’s licenses, be vigilant against phishing text messages and fraud calls, and monitor their personal credit reports. The government allowed victims to replace leaked identity documents with other documents. Optus has committed to providing 12 months of free credit monitoring services to affected customers.
Illustration: The user received an urgent notice to modify their personal information
The third question is: What punishment will Optus face? Under the current legal framework, the maximum fine for violating the Privacy Act 1988 is only A $2.22 million (OAIC, 2025). Attorney General Mark Dreyfus said that businesses should not view fines as “operating costs” and promised to push for amendments to increase the severity of penalties.
The fourth question is: What should the government do? Communications Minister Michelle Rowland announced the revision of telecommunications regulations to allow Optus to share customer information with financial institutions to a limited extent, in order to help banks identify high-risk accounts and enhance monitoring. The government also announced that it would conduct a comprehensive review of the Privacy Law.
However, there is a common feature behind these discussions: they all start from the perspective that “users are victims and need to be remedied”, rather than questioning the legitimacy of the enterprise’s actions.
Kelly Bayer Rosmarin, the CEO of Optus, publicly apologized and placed a full-page advertisement in major newspapers stating that the company was “deeply sorry”, but she refused to resign because of this. This response pattern – apology, commitment to improvement, refusal to take responsibility – is exactly the same as the digital platforms crisis response described in Flew (2018).
The question nobody asked
While public discussions have focused on “how users can remedy the situation” and “what kind of punishment Optus should receive”, a more fundamental question has never been raised: Why did Optus collect and retain this sensitive identity document information in the first place?
According to the documents submitted by the ACMA in the federal court, Optus has made an API subdomain open to the Internet since April 2017. In September 2018, a coding error caused the access control of this API to fail, and Optus missed the opportunity to identify this error several times over the following four years – including when the code change was released to the production environment in 2018 and when the domain name was officially made available to the Internet in 2020 And when the same error was found on the main domain name in August 2021 (ACMA, 2024).
It is precisely this vulnerability that enables attackers to bypass the authentication mechanism and steal user data on a large scale through a simple process of trial and error.
However, technical loopholes are only superficial issues. The deeper question is: Why does Optus hold these data?
The official documents of Optus show that identity documents are collected for the “identity document verification service” with the aim of “helping to ensure the integrity and security of services and products and prevent identity theft, fraud and abuse” (Optus, n.d.).
But the question is: Why are these data retained for a long time after the identity verification is completed? According to Article 3 of the Australian Privacy Principles (APP), entities can only collect personal information that is “reasonably necessary” for one or more of their functions or activities (Gilbert+Tobin, 2021).
Digital platforms and service providers have long styled themselves as “neutral intermediaries”, evading the responsibilities they should bear (Flew, 2018). Optus collects sensitive information under the guise of “identity verification” but retains such data after the verification is completed. Whether this practice meets the legal standard of “reasonable necessity” has never been seriously examined by public discussion.
Why the blame keeps shifting to users
After every large-scale data breach, there will almost be a fixed narrative loop: the media reminds users to change passwords, monitor credit records and be wary of phishing; the government promises to strengthen supervision and increase fines; enterprises issue an apology statement and say they will make improvements.
In this cycle, responsibility is systematically transferred from the enterprise to the user – the user becomes the ultimate risk bearer, while the institutions that really collect and hold data are often able to withdraw.
This shift of responsibility is not accidental, but rooted in the deep logic of the platform economy. Digital platforms have long shaped themselves as “neutral intermediaries” and position themselves as roles that only provide communication technology, not as managers of content or data (Flew, 2018).
This self-positioning enables them to evade the legal responsibilities borne by traditional service providers while retaining “near-absolute control” over the platform through user agreements (Suzor, 2019).
Optus’ response model is precisely the embodiment of this logic: After the leakage occurred, the then CEO Kelly Bayer Rosmarin publicly apologized, but at the same time refused to take personal responsibility.
This is in perfect alignment with the digital platforms crisis response model described in Flew (2018) : apology, commitment, but refusal of fundamental change.
Why can this transfer of responsibility persist? Because the current system provides enterprises with a legal channel to pass on costs. According to Article 11 of the Australian Privacy Principles (APP), entities must take reasonable steps to destroy or de-identify personal information that is no longer needed.
However, the enforcement of this clause is highly dependent on corporate self-awareness – the OAIC’ s accusation shows that Optus failed to comply with this obligation and retained a large amount of data that was no longer needed for a long time.
When a leak occurs, the legal punishment targets the enterprise’s “compliance failure” rather than the act of “excessive collection” itself. This means that as long as enterprises pay fines after the leakage and commit to rectification, their data collection models can continue to operate basically unchanged.
Suzor (2019) traces this problem back to a more fundamental power structure. He pointed out that the platform and large data holders have obtained the governance power of similar countries through user agreements, but the corresponding accountability mechanism has not been established.
From a legal point of view, users seem to have the option of “leaving”, but in reality, whether it is changing telecommunications operators or giving up social media, the cost is extremely high and almost impossible to achieve.
Therefore, the so-called “user choice” is fictional from the beginning. The final result of the transfer of responsibility is that the incentive for enterprises to collect data has not changed, the situation of users to take risks still exists, and the cycle of data leakage is difficult to break.
Conclusion: a different way to think about data breaches
On the surface, Optus data leakage seems to be just a technical event – the API interface lacks protection, so it is exploited by attackers. However, this article emphasizes that technical loopholes are only the tip of the iceberg, and the deeper institutional structure is the fundamental reason for the frequent occurrence of data leakage.
Suzor (2019) reveals the first institutional problem: platforms and service providers obtain almost absolute power through user agreements, and the so-called user “consent” never really constitutes an effective choice. Flew (2018) pointed out the second problem: under the framework of self-regulation, enterprises lack sufficient motivation to effectively protect user data, and the responsibility is systematically transferred to individuals.
Combining these two mechanisms, a clear conclusion can be drawn: as long as the incentive mechanism of the enterprise’s collection data is not touched, users still have no right to say “no”, and the supervision is still stuck in the incident of fines without asking “why to store it”, and the cycle of data leakage is difficult to end.
Technical patching may make up for an API vulnerability, but the institutional gap cannot be filled from this. When the next leak occurs, if we still only ask “how to change the certificate”, the question will still be misplaced.
Be the first to comment