Some Optus customers’ personal data has been accidentally released to more than 50 contractors on the short-term job website

Optus uses ARC Mercantile to recover outstanding debt from customers who have failed to pay bills. An employee of ARC Mercantile, against company policy, posted a job to, a jobs auction website, where potential workers bid to take a variety of short-term jobs or tasks for businesses. The job was to analyse data contained in a spreadsheet containing the personal information of Optus customers who owed money.

A spokesperson for ARC Mercantile would not tell Crikey what punishment the employee who posted the data on faced, but said “all necessary disciplinary action” had been taken.

Crikey has seen one of the letters sent out to customers regarding the data breach, and according to the letter, the ARC Mercantile employee posted details including name, contact number, date of birth, physical address, email address, and debt collection history information.

Sign up for a FREE 21-day trial and get Crikey straight to your inbox

By submitting this form you are agreeing to Crikey's Terms and Conditions.

After Optus learned of the breach, it commenced legal action in the Supreme Court of New South Wales to force to disclose how many people on the site accessed the data. Late last month the company was ordered to disclose that 51 people had accessed the customer data.

Optus has notified the Privacy Commissioner and has written to the people who accessed the data asking them to destroy the spreadsheets they might still have. ARC Mercantile has also set up a credit alert service to monitor the credit files of customers affected for potential identity fraud over the next 12 months and has suggested those affected might want to change their phone numbers.

A spokesperson for Optus would not confirm how many customers had been affected by the breach, telling Crikey in a statement:

“Optus has become aware that an employee of a third-party supplier posted a document containing customer data to a public website. This action was unauthorised by Optus and its supplier, ARC. As soon as Optus became aware of ARC’s action we acted swiftly to remove the data and conduct a full investigation into the incident. ARC is co-operating with Optus and is undertaking all due diligence requested by Optus including reporting the matter to relevant authorities.”

Australian Privacy Commissioner Timothy Pilgrim said in a statement that he was informed of the breach by both ARC Mercantile and Optus and praised them for reporting the breach.

“We are pleased to see that Optus has notified affected individuals about this incident. Notification can be an important mitigation strategy that has the potential to benefit both the organisation and the individuals affected by a data breach. The OAIC strongly encourages notification in appropriate circumstances as part of good privacy practice.”

Earlier this month Attorney-General George Brandis released an exposure draft for mandatory data breach notification legislation. Under the legislation, which was originally planned under the former Labor government in 2013, businesses with annual turnover of over $3 million and government agencies would be required to notify customers and the privacy commissioner on “serious data breaches” that created “a real risk of serious harm” to those affected by the breach.

While many companies, including Optus, are becoming more proactive in disclosing data breaches when they occur, some businesses fear the reputation damage such disclosure can have on their brands.

Online shopping giant Catch of the Day waited three years to inform customers when it suffered a data breach compromising credit card details and user login details. To date, the company has never explained why it waited so long to inform customers of the breach.