I’ve spent the past few weeks watching this KPMG story the way you watch a building slowly fail, not from one big crack, but from a dozen small ones nobody bothered to patch. And on Friday, in a Canberra committee room, the firm’s own chairman confirmed the last crack that turned this from an HR problem into something much bigger: confidential information about Optus moved straight into the hands of the KPMG team that was simultaneously pitching to audit Optus’s biggest rival, Telstra.
Let’s be clear about what this is and isn’t. There’s no hacker here. No exploit, no malware, no credential theft. The “breach,” if you want to call it that, was a wall that was supposed to stop information moving between two teams inside the same company – and it didn’t. For a publication that usually covers CVE numbers and ransomware affiliates, this one’s worth sitting with anyway, because it’s a textbook case of an access-control failure that happens to involve people instead of firewalls.
What actually moved, and where
KPMG audits Optus. A separate KPMG team was bidding to take over the audit at Telstra – Optus’s direct competitor in the Australian telco market. Chairman Martin Sheppard told the parliamentary joint committee on Friday that unredacted Optus information crossed what he called an “ethical divider” between the two teams, something he said plainly shouldn’t have happened. Deloitte ended up winning the Telstra mandate, so whatever advantage that information might have given KPMG didn’t translate into a contract. That detail doesn’t make the underlying failure any less serious – segregation either holds or it doesn’t, and this time it didn’t.
This is the second admission of its kind from KPMG this year. The first, and the one that’s dominated headlines since March, involves Lendlease. A whistleblower alleged that confidential Lendlease board papers – material the company had explicitly told KPMG’s audit team was off-limits to anyone outside that engagement found its way into pitch material KPMG used to chase audit work at Westpac and at property group Dexus. KPMG has substantiated the Lendlease leak and confirmed that one partner made an inappropriate suggestion to colleagues to look at confidential information belonging to Dexus. The Westpac allegation remains unsubstantiated, at least officially.
How these walls are supposed to work
In professional services, the mechanism that’s meant to stop this is what’s known in the industry as an information barrier, or “ethical wall” – Sheppard’s own phrase for it on Friday. It’s not a piece of software. It’s a set of policies and access restrictions: separate file permissions, separate teams, separate physical and logical workspaces, sign-offs required before anyone crosses from one client engagement into another. The professional standard underpinning all of it in Australia is APES 110, the Code of Ethics for Professional Accountants, which binds every accountant in the country to five fundamental principles – integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour. Confidentiality isn’t a footnote in that code. It’s one of the five pillars the entire profession claims to stand on.
KPMG’s own 2024 transparency report published before any of this became public disclosed that its internal compliance reviews had already flagged 49 instances of individuals not fully adhering to firm policies and procedures, firm-wide, in a single year. The firm reported zero whistleblower complaints related to audit quality that year. Both of those numbers read very differently in hindsight.
The timeline nobody at KPMG wants to repeat
The part of Friday’s hearing that should worry people more than the Optus admission itself is what happened before it. The whistleblower first raised concerns internally in May 2024. KPMG’s then head of audit, Julian McPherson, told the inquiry that his response – on the same day the whistleblower again warned of retaliation from colleagues – about to authorise a search of that whistleblower’s own laptop, out of concern the person might leak KPMG’s information while job-hunting elsewhere. Not an investigation into the allegations. A search of the person who made them.
Further searches of that laptop followed in November 2024, and those searches reportedly turned up evidence supporting the original allegations – evidence the firm says it hadn’t found through its earlier internal review. Lendlease, the client whose confidential board papers were allegedly at the center of it all, wasn’t told any of this was happening. Lendlease chief executive Tony Lombardo told the committee KPMG had informed him the matter was investigated and dismissed back in May 2025 and that he heard nothing further until Senator Deborah O’Neill read the whistleblower’s account into the parliamentary record under privilege on 24 March this year. Lendlease’s chairman, John Gillam, called it a fundamental breach of trust. The company has now ended a client relationship with KPMG that had run for close to seven decades, and it’s seeking reimbursement for the cost of switching auditors.
By 2025, the whistleblower had signed a deed of release and no longer worked at KPMG. A deed of release in this context typically closes off the individual’s legal claims against the firm in exchange for a settlement and it’s a detail that matters, because it’s the kind of agreement that can quietly end an employee’s ability to keep speaking publicly about what happened to them, even where statutory whistleblower protections exist elsewhere. Sheppard didn’t commit, when asked directly, to revisiting the terms of that deed to give the person better financial or legal support.
Andrew Yates, KPMG Australia’s chief executive until his resignation in May, told the inquiry the Optus evidence which surfaced through an investigation by law firm Allens. It was what finally pushed him out. He was paid AUD $1.7 million for his resignation notice period, plus a further $2.4 million on retirement under the firm’s partnership agreement. Audit boss Julian McPherson also departed. Two partners, Eileen Hoggett and Paul Rogers, have stood down from audit work and are now under investigation by ASIC over their alleged roles in the Lendlease leak.
Why the regulators couldn’t see this coming
This is the part of the story that has the most teeth for anyone interested in how oversight actually functions. KPMG, like the other members of the Big Four, operates as a partnership rather than a company. That structural choice means it sits outside the corporate reporting obligations ASIC imposes on companies, and is instead governed by a patchwork of state-based partnership law. Greens Senator Barbara Pocock put it to Yates directly during the hearing: is the partnership model “non-functioning” at this point, given this is the second time in three years a Big Four firm has been dragged in front of parliament over leaked client information, PwC’s 2023 tax leaks scandal being the first. Senator O’Neill asked whether the problem was a few bad actors or, in her words, a rotten barrel. Yates rejected both framings, telling the committee the firm is “large, complex” and “fallible,” and that he’d been reluctant to escalate the original complaint given KPMG Australia has roughly 680 partners who, under the partnership structure, share collective responsibility for the firm’s conduct. O’Neill’s response was pointed: a company structure would have given a single named executive clear accountability. A partnership spreads that responsibility so thin it can become nobody’s job in particular.
There’s also a statutory whistleblower regime in play here, separate from KPMG’s own internal handling. Part 9.4AAA of the Corporations Act 2001 has, since mid-2019, given eligible whistleblowers protection from detriment, including dismissal, altered duties, and reputational damage – when they make a qualifying disclosure to an eligible recipient. ASIC’s own guidance is explicit that company officers and senior managers are expected to actively promote and monitor the effectiveness of whistleblower handling, not just respond passively when something lands on their desk. Authorising a laptop search of the person who just raised the complaint, on the day they warned about retaliation, is the kind of decision that regime exists specifically to discourage.
KPMG has now been frozen out of new federal government contracts for at least three months, while still holding 297 active federal contracts worth roughly $653 million. The Greens have referred the firm to the National Anti-Corruption Commission. The Chartered Accountants Australia and New Zealand body – the professional body that licenses these individuals has confirmed it’s investigating Yates along with eleven others connected to the scandal, with CEO Ainslie van Onselen saying publicly she was disgusted by the alleged conduct.
The lesson that travels outside accounting
Strip away the audit-industry specifics and what you’re left with is a case study any organisation handling segregated, competitively sensitive data should sit with. An information barrier is an access-control system, full stop. The fact that it’s enforced by policy and professional ethics rather than by an ACL on a file server doesn’t change what it’s supposed to do. And like any access-control system, it only works if someone’s actually watching whether it holds, and if the people who report it failing aren’t met with a laptop search instead of an investigation.
KPMG’s chairman called this “very recent” on Friday, as if the Optus disclosure were a fresh development rather than the predictable result of a firm that spent two years treating a credible internal warning as a personnel headache. The wall didn’t fail because nobody knew it was there. It failed because nobody outside the people it was meant to constrain was checking it held.
KPMG Australia chairman Martin Sheppard, former CEO Andrew Yates, and former head of audit Julian McPherson gave evidence to a parliamentary joint committee hearing in Canberra on Friday, 19 June. Investigations by ASIC and Chartered Accountants Australia and New Zealand into individuals connected to the matter remain ongoing.
This post first appeared at - The CyberSec Guru