Optus ordered to hand over top secret report into huge data breach that cost CEO her job and sparked a massive legal action

Telecom giant Optus has been ordered to hand over a secret report into exactly how millions of customers had their private information stolen by hackers.

Optus brought on professional services network, Deloitte, to conduct a review into the company shortly after the massive data breach between September 17 and 20, 2022.

Close to 10 million customers had their personal information such as passports, drivers licences and telephone numbers, stolen during the hack. 

The company was in Federal Court on Monday appealing a prior decision by judge Jonathan Beach requiring them to pony up the document.

A full court of Federal Court judges – Bernard Murphy, Stewart Anderson and Penelope Neskovicin – on Monday unanimously upheld the order.

Optus has now twice failed to prove the report was primarily for legal purposes and  must now tender the document into evidence in a class action brought forward by customers affected by the hack.

The Federal Court found Optus’ appeal also hadn’t proven the report was for other reasons.

The court citied a media release from then-CEO Kelly Bayer Rosmarin.

Ms Bayer Rosmarin said in October, 2022, that the report ‘would play a crucial role in the response to the incident for Optus, as it works to support customers’.

‘While our overwhelming focus remains on protecting our customers and minimising the harm that might come from the theft of their information, we are determined to find out what went wrong.

‘This review will help ensure we understand how it occurred and how we can prevent it from occurring again.

It will help inform the response to the incident for Optus.’

She added Deloitte’s report was an ‘important process’ to ‘rebuilding trust with our customers’.

Optus suffered dual catastrophes – the cyberattack and then a 14-hour network outage months later in November – that forced Ms Bayer Rosmarin into resigning from her role last year. 

Optus barrister Steven Finch, SC, told the court during a hearing in May that it would be hard to find a media release flagging a legal purpose for a report of its kind.

Mr Finch argued that the releases’ point ‘is to calm’, the Australian Business Network reports. 

The Federal Court instead ruled the release was ‘significant to the primary judges’ findings’ which they found to have been correct.

The breach saw the personal information such as passport, drivers licence and telephone numbers, of about 10million customers stolen during the hack

The cyberattack and a 14-hour network outage in November forced then-CEO Kelly Bayer Rosmarin (pictured) into resigning from her role last year 

Optus general counsel Nicholes Kusalic’s evidence before judge Beach as to why the company was ‘vague’ about its reasoning behind the report was also shot down by the court.

‘Not only did Optus not put on direct evidence from Ms Bayer Rosmarin or any Board member,Mr Kusalic’s evidence did not even provide hearsay evidence, on the basis of information and belief, as to Ms Bayer Rosmarin’s state of mind, or as to the state of mind of the Board members to the extent that he talked to them,’ the judgement read.

‘In our opinion, the primary judge was correct to find on the evidence that there were multiple purposes for which the Deloitte Report was commissioned.

‘The evidence did not establish that the Deloitte Report was procured for the dominant purpose of Optus obtaining legal advice or for use in litigation or regulatory proceedings.’

The judgement found that the Deloitte report was also procured to identify the cause of the cyberattack and review Optus’ management and response to the breach.

Optus is also facing two probes into the breach by the Office of the Australian Information Commissioner and the Australian Communications and Media Authority.