Individual Assignment
| Assessment Details and Submission Guidelines | |
| Trimester | T1 2026 |
| Unit Code | HI5031 |
| Unit Title | Professional Issues in IS Ethics and Practice |
| Assessment Type | Individual Assignment |
| Weight | 50 % |
| Word limit (if applicable) | 2500 words |
| Submission Guidelines |
|
| Academic Integrity Information | Holmes Institute is committed to ensuring and upholding academic integrity. All assessments must comply with academic integrity guidelines. Please learn about academic integrity and consult your teachers with any questions. Violating academic integrity is serious and punishable by penalties that range from deduction of marks, failure of the assessment task or unit involved, suspension of course enrolment, or cancellation of course enrolment. |
| Penalties |
|
Individual Assignment Guidelines and Specifications
HI5031 Professional Issues in IS Ethics and Practice
Individual Case Study Report – Submission Structure
You need to submit the final version of your assignment in Week 5.
Case Study
Optus Data Breach, 2022
Students should use the 2022 Optus data breach as the main case study. The breach exposed the personal information of millions of Australian customers, including names, dates of birth, phone numbers, email addresses, addresses, and identity document details. The incident raised major concerns about cybersecurity governance, privacy protection, data management, corporate accountability, and ethical responsibility.
Case Study Topic
Optus Data Breach: Privacy, Cybersecurity Governance, and Organisational Accountability
Read the case study on the 2022 Optus data breach, then prepare an individual analytical report using the structure below.
Assignment Instructions
In this assessment, you are required to critically analyse the Optus data breach from a professional, ethical, legal, and organisational perspective. Your report should demonstrate your understanding of information systems ethics, cybersecurity responsibility, professional conduct, privacy protection, and ethical decision-making.
Your discussion must be supported by academic research and relevant professional sources.
You must use at least ten quality references, including journal articles, cybersecurity standards, privacy regulations, government or regulatory reports, and professional codes of conduct.
You must apply:
- one professional code of conduct, such as ACS, ACM, or IEEE; and
- at least two ethical theories, such as utilitarianism, deontology, contract theory, or virtue ethics.
Report Structure
1. Executive Summary — 200 words
Provide a brief overview of the Optus data breach, the main cybersecurity and ethical issues, the key findings of your analysis, and the main recommendations.
2. Background of the Case — 300 words
Briefly explain the Optus data breach
3. Stakeholder Identification and Impact Analysis — 350 words
Identify the key stakeholders involved in or affected by the breach
4. Cybersecurity, Privacy, and Governance Issues — 450 words
Analyse the major cybersecurity, privacy, and governance issues in the Optus case
5. Professional Conduct Analysis — 400 words
Choose one professional code of conduct: ACS, ACM, or IEEE.
Use the selected code to analyse the responsibilities of:
- Optus leadership;
- IT and cybersecurity professionals;
- data governance and privacy officers;
- employees responsible for handling customer information.
Your analysis should consider professional duties such as:
- acting in the public interest;
- protecting privacy and confidentiality;
- maintaining professional competence;
- ensuring security of information systems;
- being honest and transparent;
- accepting accountability for professional decisions.
6. Ethical Theory Application — 500 words
Apply at least two ethical theories to the Optus data breach. You may choose from:
- Utilitarianism — evaluating overall harm and benefit to customers, Optus, regulators, and society;
- Deontology — assessing duties and obligations to protect customer data regardless of business cost;
- Contract theory — examining the trust relationship between Optus and its customers;
- Virtue ethics — evaluating whether Optus demonstrated integrity, responsibility, honesty, and care.
Explain how these theories help evaluate the decisions and actions of Optus, its employees, regulators, and other relevant stakeholders.
7. Legal and Regulatory Accountability — 250 words
Discuss the legal and regulatory implications of the Optus data breach
8. Recommendations — 250 words
Provide practical and justified recommendations for preventing similar incidents and improving ethical organisational practice.
9. Conclusion — 100 words
Summarise your overall findings and explain why the Optus data breach is an important case for understanding privacy protection, cybersecurity ethics, professional responsibility, and organisational accountability in information systems practice.
10. Reference List
Use Adapted Harvard referencing style.
All references must be cited in-text in the body of your report. You must include at least ten quality academic or professional references.
Important Notes
- Word Count: 2500 words, excluding references.
- Submission Format: Single MS Word document.
- Do not submit as PDF or Pages.
- Headings, citations, references, and appendices do not count towards the word limit.
Student Assessment Citation and Referencing Rules
Adapted Harvard Referencing Rules
Holmes has implemented a revised Harvard approach to referencing. The following rules apply:
- Reference sources in assignments are limited to sources that provide full-text access to the source's content for lecturers and markers.
- The reference list must be located on a separate page at the end of the essay and titled: "References".
- The reference list must include the details of all the in-text citations, arranged A-Z alphabetically by author surname with each reference numbered (1 to 10, etc.) and each reference MUST include a hyperlink to the full text of the cited reference source. For example:
| 1. Hawking, P., McCarthy, B. & Stein, A. 2004. Second Wave ERP Education, Journal of Information Systems Education, Fall, http://jise.org/Volume15/n3/JISEv15n3p327.pdf |
- All assignments must include in-text citations to the listed references. These must include the surname of the author/s or name of the authoring body, year of publication, page number of the content, and paragraph where the content can be found. For example, “The company decided to implement an enterprise-wide data warehouse business intelligence strategies (Hawking et al., 2004, p3(4)).”
author year page (Hawking et al., 2004, p3(4)) paragraph |
Non-Adherence to Referencing Rules
Where students do not follow the above rules:
- For students who submit assignments that do not comply with the rules, a 10% penalty will be applied.
- As per the Student Handbook, late penalties will apply each day after the student/s has been notified of the due date.
- Students who comply with rules and the citations are "fake" may be reported for academic misconduct.
HI5031 Individual Assignment T1 2026
Marking Criteria and Rubric:
| Criteria | HD (80-100%) | DI (70-79%) | CR (60-69%) | PS (50-59%) | FL (0-49%) |
|---|---|---|---|---|---|
| Report Quality - Introduction and Conclusion - 10 Marks | Professionally presented and suitably structured report. Excellent Introduction and conclusion. | Very Good presentation and suitable structure. Good Introduction and conclusion. | Good presentation and structure with minor errors. Introduction and Conclusion need improvement. | Appropriate report structure and presentation. Basic introduction and conclusion provided. | Poor report presentation. Poor/no introduction and Poor/no conclusion. |
| Identification of Ethical Dilemma - 15 Marks | Excellent and precise discussion points addressing ethical dilemma. | Very good discussion points addressing ethical dilemma. | Good discussion points addressing ethical dilemma. | Adequate discussion points addressing ethical dilemma. | Inadequate discussion points. |
| Identification of Other issues - 20 Marks | Excellent identification of issues and justified with academic references. | Very good identification of issues and justified with academic references. | Good identification of issues and justified with some academic references. | Adequate identification of issues and justified with few academic references. | Has not identified issues appropriately. Limited academic references. |
| Analysis of the Actions of the CEO - Code of Ethics - 15 Marks | Comprehensive analysis of the actions of the CEO of Colonial Pipeline from the perspective of a Suitable Code of Ethics. | Adequate analysis of the actions of the CEO of Colonial Pipeline from the perspective of a Suitable Code of Ethics. | Makes a genuine attempt to analyse the actions of the CEO of Colonial Pipeline from the perspective of a Suitable Code of Ethics. | Reasonable analysis of the actions of the CEO of Colonial Pipeline from the perspective of a Suitable Code of Ethics. | Incorrect response to analyse the actions of the CEO of Colonial Pipeline from the perspective of a Suitable Code of Ethics. |
| Analysis of the other issues - Classical Ethical Theories - 20 Marks | All relevant ethical theories are appropriately applied to the ethical issue/issues being analysed. Reasons and objections are correctly presented. | All relevant ethical theories are mostly correctly applied. Reasons and objections are mostly correctly presented. Minor omissions only. | Makes a genuine attempt at applying the ethical theories to the analysis of the ethical issue/issues. | The ethical theories do not link well with the analysis of the ethical issue/issues presented. | The ethical theories are inadequately or inappropriately applied to the analysis of the ethical issue/issues presented. |
| Recommendations & Justifications - 10 Marks | Excellent, relevant and logical Recommendations with Appropriate justification. | Very good and relevant Recommendations with suitable justification. | Good Recommendations but not logical but with some justifications. | Adequate and partially relevant recommendations and weak justification. | Inadequate and non relevant recommendations and poor justification. |
| Referencing - 10 Marks | High Quality Academic sources used (Proquest). Appropriately referenced using the Holmes Adapted Harvard style, both in-text and full-text. | Good Quality Academic sources used (Research Gate, Google Scholar etc). Referenced using the Holmes Adapted Harvard style, both in-text and full-text. Minor errors. | A mix of Good Quality sources (Academic, Web and General). Referenced using the Holmes Adapted Harvard style, both in-text and full-text. Minor errors. | A mix of Good Quality sources (Academic, Web and General). Referenced using the Holmes Adapted Harvard style, both in-text and full-text. Major errors. | No Academic or Credible sources used. Not referenced accordingly using the Holmes Adapted Harvard style, both in-text and full-text. |
| TOTAL Weight for this assignment marking 50% | |||||
Note: This sample is for guidance purposes only and should be used as a reference to assist with understanding the assignment requirements.
_1780904843.jpg)
Optus Data Breach (2022): Privacy, Cybersecurity Governance, and Organisational Accountability
1. Executive Summary (Sample – 200 words)
The 2022 Optus data breach was one of Australia's largest cybersecurity incidents, exposing the personal information of approximately 9.8 million current and former customers. The compromised data included names, addresses, dates of birth, email addresses, phone numbers, and identification document details. The incident raised serious concerns regarding cybersecurity governance, privacy protection, ethical responsibility, and organisational accountability.
This report analyses the Optus breach from professional, ethical, legal, and governance perspectives. Key stakeholders affected by the breach include customers, Optus management, employees, regulators, shareholders, and government agencies. The report identifies weaknesses in cybersecurity controls, data management practices, and risk governance processes.
The Australian Computer Society (ACS) Code of Professional Conduct is applied to evaluate the responsibilities of Optus leadership and information technology professionals. Additionally, Utilitarianism and Deontology are used to assess the ethical implications of Optus's actions before and after the breach.
The analysis concludes that inadequate security controls and governance failures contributed significantly to the incident. Recommendations include stronger cybersecurity frameworks, improved data minimisation practices, regular security audits, enhanced employee training, and greater transparency in incident response. The Optus breach demonstrates the importance of ethical decision-making and professional accountability in modern information systems management.
2. Background of the Case (Sample – 300 words)
In September 2022, Optus, Australia's second-largest telecommunications provider, experienced a significant cyberattack that exposed customer information stored within its systems. According to Optus, an attacker gained unauthorised access through an internet-facing application programming interface (API) that lacked adequate security controls.
The breach affected approximately 9.8 million current and former customers. Exposed information included customer names, dates of birth, email addresses, phone numbers, residential addresses, and identity document numbers such as passport and driver's licence details.
Following the breach, concerns emerged regarding Optus's cybersecurity governance, risk management practices, and compliance with privacy regulations. Customers expressed frustration regarding the handling of their personal information and the potential risks of identity theft and fraud.
The Australian Government, the Office of the Australian Information Commissioner (OAIC), and other regulatory authorities launched investigations into the incident. Public scrutiny increased as questions arose concerning whether Optus had retained excessive customer data and whether adequate cybersecurity measures had been implemented.
The breach resulted in significant reputational damage, legal consequences, financial costs, and loss of public trust. The case has become an important example of cybersecurity failures and organisational accountability in Australia.
3. Stakeholder Identification and Impact Analysis (350 words)
Customers
- Loss of personal information.
- Increased risk of identity theft and fraud.
- Emotional distress and reduced trust.
Optus Management
- Faced public criticism.
- Responsible for incident response.
- Reputational and financial consequences.
IT and Cybersecurity Teams
- Required to investigate and mitigate the attack.
- Scrutiny regarding security controls.
Employees
- Experienced increased workloads during crisis management.
- Potential impact on morale.
Shareholders
- Decline in customer confidence affected company value.
- Increased legal and compliance costs.
Government and Regulators
- Responsible for investigating compliance failures.
- Required to strengthen national cybersecurity policies.
Society
- Reduced confidence in digital services.
- Increased concerns about data privacy across industries.
The breach demonstrates how cybersecurity incidents affect multiple stakeholders and highlights the importance of responsible data management.
4. Cybersecurity, Privacy and Governance Issues (450 words)
Cybersecurity Issues
- Inadequate API security.
- Weak access controls.
- Insufficient vulnerability assessment processes.
- Lack of proactive threat detection.
Privacy Issues
- Excessive retention of customer data.
- Failure to adequately protect sensitive information.
- Increased risk of privacy violations.
Governance Issues
- Poor cybersecurity oversight.
- Weak risk management frameworks.
- Lack of board-level accountability.
- Insufficient integration of cybersecurity into corporate governance.
Data Management Issues
- Retaining customer information longer than necessary.
- Lack of data minimisation principles.
Incident Response Issues
- Questions regarding communication effectiveness.
- Delays in notifying affected individuals.
The Optus breach illustrates how cybersecurity, privacy, and governance failures are interconnected and require strategic management at all organisational levels.
5. Professional Conduct Analysis (ACS Code of Ethics) (400 words)
Using the Australian Computer Society (ACS) Code of Ethics:
Public Interest
Optus had a responsibility to protect customer information and ensure systems operated safely for the public benefit.
Professional Competence
IT professionals should maintain current cybersecurity knowledge and implement appropriate safeguards.
Honesty
Organisations must communicate openly and honestly regarding security incidents.
Quality of Life
Failure to protect personal information negatively affected customers' lives through stress and identity theft risks.
Professionalism
Cybersecurity teams and executives must uphold high standards of security governance and accountability.
Leadership Responsibilities
Optus executives should:
- Ensure adequate investment in cybersecurity.
- Establish governance frameworks.
- Promote a security-focused culture.
Data Governance Officers
Must ensure:
- Compliance with privacy regulations.
- Proper data retention policies.
- Ongoing monitoring and auditing.
The ACS Code suggests that stronger adherence to professional responsibilities may have reduced the likelihood and impact of the breach.
6. Ethical Theory Application (500 words)
Utilitarianism
Utilitarianism evaluates actions based on overall consequences.
Analysis
The breach caused significant harm:
- Millions of customers affected.
- Financial losses.
- Reputational damage.
- Reduced public trust.
Any potential business benefits from retaining large volumes of customer data were outweighed by the harm caused by the breach.
Conclusion
From a utilitarian perspective, Optus failed to maximise overall societal benefit.
Deontology
Deontology focuses on duties and obligations.
Analysis
Optus had a duty to:
- Protect customer data.
- Respect privacy rights.
- Implement adequate security measures.
Regardless of costs or business objectives, protecting customer information is an ethical obligation.
Conclusion
Optus failed to fulfil its moral duty to safeguard customer information.
Comparison
| Utilitarianism | Deontology |
|---|---|
| Focuses on consequences | Focuses on duties |
| Measures harm to society | Measures compliance with obligations |
| Highlights overall damage | Highlights failure of responsibility |
Both theories indicate that stronger cybersecurity protections should have been implemented.
7. Legal and Regulatory Accountability (250 words)
The Optus breach triggered investigations under Australia's privacy and cybersecurity regulations.
Relevant Laws
- Privacy Act 1988
- Australian Privacy Principles (APPs)
- Notifiable Data Breaches Scheme
Regulatory Bodies
- Office of the Australian Information Commissioner
- Australian Cyber Security Centre (ACSC)
Legal Consequences
- Regulatory investigations.
- Potential financial penalties.
- Increased compliance obligations.
The incident highlighted the need for stronger privacy enforcement and cybersecurity governance within Australian organisations.
8. Recommendations (250 words)
1. Implement Zero Trust Security
Continuous verification of users and devices.
2. Strengthen API Security
Regular testing and monitoring of internet-facing systems.
3. Data Minimisation
Retain only necessary customer information.
4. Regular Security Audits
Conduct independent cybersecurity assessments.
5. Employee Training
Increase awareness of cybersecurity risks.
6. Improve Incident Response
Develop clear breach notification procedures.
7. Board-Level Oversight
Make cybersecurity a strategic governance priority.
These measures would significantly reduce future cybersecurity risks and improve ethical organisational behaviour.
9. Conclusion (100 words)
The 2022 Optus data breach demonstrates the serious consequences of cybersecurity and privacy failures. Millions of customers were affected, exposing weaknesses in governance, risk management, and data protection practices. Analysis using the ACS Code of Ethics, Utilitarianism, and Deontology shows that Optus had professional and ethical responsibilities to protect customer information. The breach highlights the importance of transparency, accountability, and proactive cybersecurity management. Organisations must implement stronger governance frameworks, robust security controls, and ethical decision-making processes to maintain public trust and ensure responsible information systems management.