KPMG admits ethics breaches: leaked Optus data, surveilled whistleblower

The whistleblower suffered significant mental health and career damage through retaliation, surveillance, and inadequate support from KPMG during the complaints process.
Information moving through an ethical divider shouldn't have moved through that divider
KPMG's chair acknowledges the firm leaked confidential client data to internal competitors pursuing separate contracts.

In the measured chambers of parliamentary inquiry, one of the world's largest accounting firms was compelled to confess what institutional pride had long obscured: that the walls meant to separate competing clients' secrets had been deliberately crossed, and that the person who first said so had been watched, doubted, and quietly pushed aside. KPMG's admissions before an Australian Senate committee reveal not merely a procedural failure but a deeper erosion of the trust that makes auditing — and by extension, markets — possible. The resignation of a chief executive, the departure of a 68-year client, and the suffering of a single whistleblower together mark the human and institutional cost of placing revenue above the rules that hold a profession together.

  • KPMG's 'ethical dividers' — the internal walls meant to prevent confidential client data from crossing between competing teams — were breached when Optus information reached colleagues bidding for Telstra's audit contract, a violation the firm spent months denying before its own chair confirmed it under oath.
  • A whistleblower who raised the alarm was not protected but surveilled: executives authorized searches of their laptop on the very day they emailed fresh concerns, treating a source of truth as a security threat.
  • The firm's former CEO resigned in May, walking away with over four million dollars while acknowledging he had failed to find the evidence sooner and had not made the process 'humanistic' for the person who suffered most.
  • Lendlease ended a 68-year audit relationship and is seeking cost reimbursement; regulators are investigating 12 KPMG staff; and the whistleblower, who left after signing a deed of release, has been left with significant mental health and career damage the firm has declined to revisit.
  • What began as a confidentiality breach has become a systemic reckoning — exposing how a major professional services firm subordinated the integrity of its profession to the pursuit of new contracts, and then compounded the harm by retaliating against the person who refused to stay silent.

On a Friday morning in Canberra, KPMG's chair Martin Sheppard sat before a parliamentary committee and confirmed what the firm had long resisted admitting: staff had leaked confidential Optus information to colleagues competing for a Telstra contract, crossing what he called an 'ethical divider' that should have been inviolable.

The scandal had been building since March, when Senator Deborah O'Neill read a whistleblower's testimony into the parliamentary record under privilege. The whistleblower, a KPMG employee, had watched partners breach the confidentiality agreements central to audit work. KPMG initially dismissed the claims as unsubstantiated — but the position collapsed as further breaches emerged involving Lendlease and Dexus data, and the Optus leak was confirmed in open hearing.

Former CEO Andrew Yates resigned in May, acknowledging he had seen supporting evidence and should have found it sooner. He departed with $4.1 million in payments. The Chartered Accountants Australia and New Zealand announced investigations into Yates and eleven others, with its chief executive describing the conduct as disgusting.

Yet the leak was only part of the story. Julian McPherson, KPMG's former head of audit, authorized a search of the whistleblower's laptop on the same day the whistleblower emailed him with fresh concerns and warnings of retaliation. The computer was searched twice more in November 2024 — searches that ultimately uncovered evidence the whistleblower had been right. Rather than vindication, the whistleblower received surveillance and was treated as an HR problem. After signing a deed of release in 2025, they left the firm. Sheppard declined to revisit the terms to offer better support. Yates said he was 'deeply distressed' to learn of the personal, mental, and career cost the whistleblower had endured.

The damage radiated outward. Lendlease ended its 68-year audit relationship with KPMG and announced it would seek reimbursement for the cost of finding a new auditor, after learning the firm had dismissed leak allegations without informing its CEO. Partners Eileen Hoggett and Paul Rogers stood down from audit work and now face investigation by ASIC. What began as a breach of internal rules had become a public reckoning with how a major firm had placed revenue above professional integrity — and how it had treated the one person willing to say so.

On a Friday morning in Canberra, KPMG's chair Martin Sheppard sat before a parliamentary committee and acknowledged what the firm had spent months denying: his staff had leaked confidential information belonging to Optus, one of Australia's largest telecommunications companies, to colleagues who were competing for a contract with Telstra. The information had crossed what should have been an impenetrable barrier—what Sheppard called an "ethical divider." It shouldn't have moved. But it did.

The scandal had been building since March, when Senator Deborah O'Neill read a whistleblower's testimony into the parliamentary record, shielded by privilege. The person who came forward worked at KPMG and had watched the firm's partners systematically breach the confidentiality agreements that sit at the foundation of audit work. At first, KPMG pushed back. The allegations were unsubstantiated, the firm said. But as weeks passed, the company's position crumbled. Partners had leaked Lendlease's confidential data. Another partner had made a remark suggesting colleagues examine Dexus' sensitive information. And now, in this public hearing, the Optus breach was confirmed.

The revelations prompted Andrew Yates, KPMG's former chief executive, to resign in May. Yates told the committee he had seen evidence supporting the whistleblower's claims and realized he should have found it sooner. He walked away with $1.7 million for his notice period and $2.4 million as part of the firm's partnership agreement. The Chartered Accountants Australia and New Zealand, the peak professional body, announced it was investigating Yates and eleven others. Its chief executive, Ainslie van Onselen, said she was disgusted by the conduct.

But the leak was only part of the story. What emerged during the hearing was how KPMG had treated the person who raised the alarm. Julian McPherson, KPMG's former head of audit, authorized a search of the whistleblower's laptop on May 30, 2024, the same day the whistleblower emailed him again with concerns and warnings of retaliation from colleagues. McPherson said he was worried the whistleblower might leak KPMG information while job hunting. The computer was searched again on November 21 and 26, 2024. Those searches eventually uncovered evidence the whistleblower had been right all along.

Instead of being vindicated, the whistleblower was handled as a human resources problem—someone with workplace grievances, as executives had dismissed them. The person was surveilled. Concerns were routed to HR first, then legal. The whistleblower described a culture of fear, of profit placed above integrity, of retaliation for speaking up. In 2025, after signing a deed of release, the whistleblower left KPMG. Sheppard declined to revisit the terms of that agreement to offer better financial or legal support. Yates acknowledged the firm had failed. "I don't think we made the whistleblower feel comfortable through the process," he said. "I feel that we could have made the process easier and I also feel probably we could have made it a more humanistic approach." When a senator noted the whistleblower had suffered a horrendous personal, mental, and career cost, Yates said he was deeply distressed to hear it.

The damage extended beyond the individual. Lendlease, whose confidential information had been leaked, ended its 68-year audit relationship with KPMG and announced it would seek reimbursement for the costs of finding a new auditor. Tony Lombardo, Lendlease's chief executive, told the committee that KPMG had dismissed the leak allegations in May 2025 without telling him, and only gave him sporadic updates after the story became public. The firm refused to share its investigations. Partners Eileen Hoggett and Paul Rogers stood down from audit work and now face investigation by the Australian Securities and Investments Commission. The firm has also not substantiated allegations it received inappropriate guidance while bidding for Westpac's audit contract. What began as a breach of ethics had become a reckoning with how a major professional services firm had prioritized revenue over the rules that hold the profession together, and how it had treated the person brave enough to say so.

There was evidence to support some of the whistleblower allegations that, had I overseen things differently, we could have found earlier, and it was that day that I realised that I felt I needed to take accountability.
— Andrew Yates, former KPMG CEO
I don't think we made the whistleblower feel comfortable through the process. I feel that we could have made the process easier and I also feel probably we could have made it a more humanistic approach.
— Andrew Yates, former KPMG CEO
A Conversa do Hearth Outra perspectiva sobre a história
Inventor

Why did it take a parliamentary inquiry for KPMG to admit what happened?

Model

Because admitting it meant admitting the firm had failed at the one thing it's supposed to do—maintain confidentiality and integrity. As long as they could call it unsubstantiated, they could avoid accountability. The inquiry forced them into the light.

Inventor

The whistleblower was surveilled while raising concerns. How does that happen in a professional firm?

Model

It happens when you treat the person raising the alarm as the problem rather than the conduct they're reporting. McPherson authorized the laptop search because he was worried about leaks, not because he was investigating the leaks that had already happened. The whistleblower became a security risk instead of a source of truth.

Inventor

What does it mean that the whistleblower signed a deed of release and left?

Model

It means the firm contained the problem by making it go away. The deed likely included confidentiality clauses and a settlement amount in exchange for silence. The whistleblower couldn't speak publicly about what happened without legal consequences. That's how you protect the institution rather than the person who tried to protect it.

Inventor

Lendlease ended a 68-year relationship. Is that the real cost here?

Model

It's a visible cost. But the deeper one is that a firm built on trust—auditors are supposed to be independent guardians of financial truth—had that trust shattered. When partners leak client information to win other contracts, the whole system breaks down. Lendlease had to assume their secrets weren't safe anywhere.

Inventor

Why did Yates resign with millions in severance?

Model

Because he was a partner, and the partnership agreement protected him. He took accountability, which is something, but he also walked away cushioned. The whistleblower signed a deed of release. Yates got paid millions. The asymmetry says something about who the firm protects.

Inventor

What happens now?

Model

Regulators are investigating twelve people. The firm's reputation is damaged. But whether anything structural changes—whether the culture of revenue-first actually shifts—that's still an open question. Admitting wrongdoing is not the same as fixing it.

Quer a matéria completa? Leia o original em The Guardian ↗
Fale Conosco FAQ