Optus data breach – working with our reporting entities

On 22 September 2022, a cyber-attack on Optus resulted in the disclosure of their customers’ personal information. Optus customer information including names, dates of birth, email addresses, driver’s licences, Medicare cards and passport numbers may have been exposed. While the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 does not apply to telecommunication service providers the disclosure of customer’s personal information may heighten money laundering, terrorism financing and crime risks for AUSTRAC regulated businesses.

The Australian Government developed a factsheet about the Optus data breach, which provides advice for affected Optus customers and details government action of what is being done to protect the customers’ identities.

Implications for AUSTRAC-regulated businesses

Given the potential for heightened risk of money laundering, terrorism financing and other serious crime, reporting entities should remain vigilant to the impacts of the data breach when undertaking electronic verification of a customer’s identity.

AUSTRAC encourages reporting entities to consider implementing controls to respond to the increased risk of identity theft, including when accepting new customers and monitoring for existing customers who may have had their personal data compromised. The systems and controls reporting entities implement may include, but are not limited to, mechanisms to prevent unauthorised access to a customer’s account such as requiring two factor authentication.

Reporting entities are only required to re-verify the identity of existing customers on a risk basis. Where a reporting entity verified a customer’s identity before the data breach, and remains reasonably satisfied that a customer is who they claim to be, it will generally be sufficient to continue to apply ongoing customer due diligence measures in accordance with the reporting entity’s AML/CTF Program.

However, if at any time a reporting entity suspects on reasonable grounds that a customer is not the person that they claim to be; or, has doubts about the veracity or adequacy of documents or information previously obtained for the purpose of identifying or verifying the customer’s identity, it must re-verify the customer’s identity.  Reporting entities must not provide a designated service to a customer until they are reasonably satisfied that the customer is who they claim to be.

Find more information about customer due diligence requirements

Reporting obligations following personal data breaches

If a reporting entity suspects a customer or transaction may be relevant to the investigation of a crime, including where they reasonably suspect a person is not who they claim to be or is the victim of a crime (including fraudulent or stolen documents), it must submit a suspicious matter report (SMR) to AUSTRAC. When submitting SMRs and other reports to AUSTRAC related to the data breach, we request that reporting entities include the reference ‘FA43407’.

Application of the Privacy Act

AUSTRAC reminds all reporting entities that they are subject to the requirements of the Privacy Act. See further details on record-keeping requirements.