Optus' already dented reputation took another hit after being fined $1.5 million Australian dollars (US$980,316) for large-scale breaches of public safety rules, which put its customers at risk.
An investigation conducted by the Australian Communications and Media Authority (ACMA) found that the operator failed to upload required information of close to 200,000 mobile customers to the Integrated Public Number Database (IPND) between January 2021 and September 2023.
The IPND is used by critical services like the Emergency Alert service to warn Australians of disasters such as flood and bushfires, and by Triple Zero to provide location information to the police, ambulance and fire brigade in an emergency.
ACMA member Samantha Yorke said the investigation started after a compliance audit indicated Optus had failed to upload data via its outsourced supplier, Prvidr Pty Ltd.
“While we are not aware of anyone being directly harmed due to the non-compliance in this case, it’s alarming that Optus placed so many customers in this position for so long," said Yorke.
Yorke pointed out that all telcos need to have systems in place that ensure they are meeting their obligations, including having robust oversight and assurance processes for third-party suppliers.
Related:Optus network crash cost the company $40M
"Optus cannot outsource its obligations, even if part of the process is being undertaken by a third party," said Yorke.
Over the past 18 months, ACMA has taken action against five telcos for IPND breaches, with financial penalties totalling more than AU$2 million ($1.32 million).
Independent review of IPND compliance
In addition to the financial penalty, ACMA has accepted a court-enforceable undertaking from Optus that requires an independent review of its IPND compliance where it uses a third-party data provider.
The telco operator needs to make any improvements recommended by the review and was formally directed to comply with the IPND industry code.
ACMA can take Optus to federal court if it fails to comply with these directions which can carry penalties up to AU$10 million ($6.6 million) per breach.
Optus apologized for the non-compliance and accepted that proper audits and checks were not in place to ensure IPND obligations.
"We apologize for this and accept that we have not met community expectations," said an Optus spokesperson.
"Optus accepts the ACMA's findings and has agreed to an Enforceable Undertaking to complete an independent review of the processes used to manage compliance with our IPND obligations for these partner brands and make any further improvements if required."
Related:Singtel sets aside $101M for Optus cyberattack costs
Reputational damage
The non-compliance of public safety rules puts another dent in Optus' reputation, which is still reeling from a couple of incidents in the last two years.
In November, Australia's second-largest telco was hit by a 14-hour outage that took down its mobile and broadband networks, cutting health and emergency services, urban train services, contact centers, SMS authentication and electronic retail payments.
The network crash, caused by a botched network upgrade, affected more than 10 million customers. It drove tens of thousands of Optus subscribers to switch to other providers, while parent company Singtel lost $40 million over the crash, which weighed heavily on its earnings for the December quarter.
In September 2022, a cyberattack exposed the personal data of as many as 10 million Optus customers in the biggest ever data breach of an Australian telco. Singtel set aside $101 million to pay for compensation or legal action over the theft of Optus customer data.