Skip to main content
News

Optus data breach: an update for APRA regulated entities

On 22 September 2022, Optus reported a cyber-attack resulting in a data breach of approximately 9.8 million customer records. The incident and its impact are still under investigation, however it is suspected that the compromised data may include: customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers. This information may be used by the perpetrators to commit identity theft in order to carry out fraudulent transactions. Based on the available information to date, the attack’s exposure is limited to retail customers (and potentially small businesses) while enterprise accounts do not appear to be impacted.

As a matter of priority, all APRA-regulated entities should harden controls on high-risk processes and transactions where possible, e.g. digital customer on-boarding, setting up first time payees etc. This could include control examples such as additional two-factor authentication requirements and call-backs. Entities should also appropriately communicate to their customers to raise awareness and direct customers to reputable sources such as ACSC, Moneysmart and the Office of the Australian Information Commissioner, which outline additional steps customer can take to limit the risk of fraud. 

APRA-regulated entities are also reminded of their notification requirements under CPS234 Information Security regarding security incidents and control weaknesses.



If you have any queries, please contact your APRA supervisory team.

Media enquiries

Contact APRA Media Unit, on +61 2 9210 3636

All other enquiries

For more information contact APRA on 1300 558 849.

The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.