Optus has lost a bid in the federal court to keep secret a report on the cause of the 2022 cyber-attack – which resulted in the personal information of about 10 million customers being exposed – after a judge rejected the telco’s legal privilege claim.
After the hack, the company announced in October last year that it had recruited consultancy firm Deloitte to conduct a forensic assessment of what had led to the cyber-attack.
Since then, the company has also faced an investigation by the Office of the Australian Information Commissioner (OAIC), and a class action case in the federal court.
As part of the class action case, law firm Slater and Gordon, acting for the applicants, had sought access to the Deloitte report that was never made public.
Optus had argued in court that the dominant purpose of the report was to assess the legal risk to the company. It claimed Deloitte’s report would assist the company’s internal and external lawyers on how to advise the company about the risks associated with the hack.
But Justice Jonathan Beach found that the company citing the Deloitte report in an October 2022 media release presented “a real problem” for Optus’s case it was for legal advice, because the release did not say the report was recommended by a lawyer or that it was for the purpose of legal advice.
He pointed to comments in the statement from Optus’s chief executive, Kelly Bayer Rosmarin, who the release said recommended the review to the board, that it would “help ensure we understand how it occurred and how we can prevent it from occurring again”.
“It will help inform the response to the incident for Optus,” Rosmarin was quoted as saying in the statement.
“This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.”
Beach said he would hear further orders on discovery, and indicated that while he had found the whole report not to be subject to legal privilege, that did not mean parts of the report might not be subject to legal privilege.
Orders will be made at a later date.
The report will not be made public unless it is used as evidence in the case – should it proceed – and Optus does not seek to prevent its public release.
It came as the embattled CEO faces pressure over the company’s handling of a 14-hour outage on Wednesday, that took phone and internet services offline for 10 million customers, delayed trains, disconnected call centres and hospital phone lines.
The company has not announced any independent report into the incident, but it is now subject to two government investigations and a Senate inquiry.