Watchdogs make a damming assessment of data leak of 734,000 Telstra customers.
Click to enlarge
Telstra breached its customer privacy obligations when personal information about 734,000 of its customers leaked online 2011, the Australia Media and Communications Authority (ACMA) said today.
The Australian Privacy Commissioner, Timothy Pilgrim, also found that Telstra failed to protect the personal information of users and breached the Privacy Act 1988, in his report, just published
The Privacy Commissioner also found “Telstra did not take reasonable steps to protect customers’ personal information from unauthorised access and disclosure.”
Read: Telstra User Database Leaked To Web
Systems failure and an ‘incorrectly completed compliance questionnaire’ by a project manager was blamed for the leak.
A Telstra databank with customer bill account details including names, and (in some cases) addresses, user history including bundle packages subscriptions, drivers licence numbers and dates of birth, were publicly accessible for a nine months from from 29 March to 9 December 2011, the Privacy Commissioner report found.
Account usernames and passwords of up to 41,000 Telstra customers were also accessible, the ACMA noted.
The link to the database was publicly accessible by typing in a search request for ‘Telstra Bundles request search’ into Google by a Whirlpool forum user in December last.
Under Telecommunications Consumer Protections Code, a service provider must protect the privacy of each customer’s billing and personal information, said Acting ACMA Chairman, Richard Bean.
“We are most concerned about the length of time-more than eight months-during which a significant number of Telstra customers’ personal information was publicly available and accessible.”
There were also clear “gaps” in Telstra’s processes to identify and act on the matter prior to media reports of the leak, he added.
Telstra has taken steps to remedy its processes and was “implementing a comprehensive review of its security systems”, which ACMA said it is currently considering.
However, the Media Authority does not have the power to fine Telstra but can issue a direction to comply with the telco code or serve a formal warning.
The Privacy Commissioner took several months to complete its report, which had been due for completion earlier this year.
In his report, however, the Commissioner did acknowledge that on becoming aware of this incident Telstra acted immediately to restrict access to personal information, commenced an investigation and implemented a number of security measures.