Dec 17, 2015

Over 30,000 Optus customers’ data published, but debts not automatically forgiven

A debt collector who tried to outsource his or her own job published the personal information of more than 30,000 mostly former Optus customers online.

Josh Taylor — Journalist

Josh Taylor


The personal data of 31,150 mostly former Optus customers was posted on short-term job website in major breach of their privacy, Crikey can reveal. Earlier this week, Crikey reported that an employee of the telecommunications company's debt collector ARC Mercantile had posted a spreadsheet of data of customers who owed a debt to Optus onto, a job auctions website where potential workers bid to undertake a variety of short-term jobs or tasks. Against the policies of both Optus and ARC Mercantile, the employee was seeking to get a worker to analyse the data (which was the ARC Mercantile employee's job) and uploaded a spreadsheet of the data earlier this year. The data included customer names, contact numbers, physical and email addresses, date of birth and debt collection history information. The data has since been removed from, and Optus has been attempting to track down the 51 people who accessed the data while it was online to have the data destroyed. Optus has subsequently sent out a letter to customers who had their data posted online advising them of the situation and offering a free alert service for potential identity fraud. The company has said those who are affected might want to change their phone numbers.


Optus would not say how many customers were affected, but Crikey has learned that the breach affected 31,150 people. According to an internal Optus document seen by Crikey, of the 31,150 people affected, only 164 remain Optus customers. They cleared their debts and had their services reconnected. The remaining 30,986 people remain disconnected. Optus says in the document that while ARC Mercantile had been managing the debt of those customers, because of the breach, Optus has decided to manage the debt for those customers internally. Optus has not told Crikey that it intends to sever its relationship with ARC Mercantile. Optus has not said it intends to pre-emptively forgive all of the debts of the 31,150 customers, but the document reveals Optus is prepared to pay compensation for those affected, including for phone number changes, passport replacement and other ID changes. There is also the option for "discretionary credits" to be issued to resolve debts for customers who complain about having their data exposed. Crikey asked Optus to confirm the figure yesterday, but the company again refused to comment. Optus has over 9 million active mobile services. ARC Mercantile has also declined to state whether the employee who was seeking to outsource his or her own job had been fired, stating simply that "all necessary disciplinary action" had been taken. The Australian Privacy Commissioner Timothy Pilgrim was informed of the breach by Optus and ARC Mercantile.

Free Trial

You've hit members-only content.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’s terms and conditions


Leave a comment

0 thoughts on “Over 30,000 Optus customers’ data published, but debts not automatically forgiven

  1. Norman Hanscombe

    This might inspire the Crikey Commissariat to revise its puerile opposition to Government efforts to strengthen our Internet Security.
    But I forgot, the outside world has little in common with those inhabiting the Crikey Bunkers, does it.

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details