Telstra breached privacy of over 15k customers: Privacy Commissioner

The details of 15,775 customers was accessible online between February 2012 and May 2013

An investigation by the Australian Privacy Commissioner, Timothy Pilgrim, and the Australian Communications and Media Authority (ACMA) has concluded that Telstra breached privacy rules after 15,775 phone numbers, names and home addresses contained in spreadsheets were found online via a Google search in May 2013.

At the time, SMS Broadcast owner, Lee Gaywood, contacted the <i>Sydney Morning Herald</i> and said that he found the data when searching on Google for telco carrier access codes.

According to Gaywood, he needed to know the codes for his SMS service to work. Telstra took the files offline on 15 May after being notified of the breach by Fairfax.

According to Pilgrim, the customer information dated back to 2009 and earlier. It was accessible online between February 2012 and May 2013.

In his report, Pilgrim found that Telstra breached three National Privacy Principles (NPPs).

  • NPP 4.1 – failure to take reasonable steps to ensure the security of the personal information it held
  • NPP 4.2 – failure to take reasonable steps to destroy or permanently de-identify the personal information it held
  • NPP 2.1 — disclosure of personal information other than for a permitted purpose.

He recommended that Telstra engage an independent third party auditor to certify that Telstra has implemented planned corrections, and that the certification be provided to the commissioner by 30 June 2014.

In addition, Telstra has been ordered to review its document retention policy so that it meets the requirements of the <i>Australian Privacy Principles</i> which come into law tomorrow

Following the breach, Telstra agreed to stop using the Right Now software platform on which the data breach incident occurred, establish a policy for central software management, and review contracts with third parties relating to personal information-handling.

“This incident provides lessons for all organisations; there is no ‘set and forget’ solution to information security and privacy in the digital environment. Organisations need to regularly review and improve security systems to avoid data breaches,” Pilgrim said in a statement.

ACMA’s report found that Telstra contravened clause 4.6.3 of the Telecommunications Consumer Protections (TCP) Code, which requires telcos to ensure that the personal information of customers is protected from unauthorised use or disclosure.

In addition, Telstra did not follow a direction from ACMA to comply with clause 4.6.3 when personal information of about 734,000 of its customers was accessible online during 2011, according to the watchdog.

The telco paid an infringement notice of $10,200 to ACMA for failing to follow the earlier direction to comply.

Telstra has been investigated by the Privacy Commissioner three times for data breaches since 2010.

The first investigation took place on 28 October 2010 when Telstra told the Office of the Australian Information Commission (OAIC) that a mailing list error had resulted in approximately 220,000 letters with incorrect addresses being mailed out.

Following an investigation, Pilgrim concluded that Telstra had breached National Privacy Principle (NPP) 2 by disclosing the personal information of some of its customers to unauthorised third parties.

On 12 December 2011, Pilgrim was on the case again after Telstra’s customer service website was openly accessible on the Internet.

The telecommunications company said it was made aware of the privacy breach and disabled its online billing, BigPond self-care and My Account functions on its website.

A Telstra spokeswoman said in a statement that it was "unacceptable" for customer information to be publicly visible and that Telstra apologised to the affected customers in May 2013.

"These customer records were only visible via a complex Google search and there were no significant complaints from affected customers," she said.

"We have since stopped using the Right Now platform and we have made significant investments into more stringent controls around our systems."

She added that Telstra accepts the view of the Commissioner that a problem with one of its IT platforms meant that customer details, such as names and addresses, were visible online for around 15,000 people.

"We will now engage an independent third party auditor to certify we have implemented the steps we committed to with the Privacy Commissioner."

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

Conversations over a cuppa with CMO: Microsoft's Pip Arthur

​In this latest episode of our conversations over a cuppa with CMO, we catch up with the delightful Pip Arthur, Microsoft Australia's chief marketing officer and communications director, to talk about thinking differently, delivering on B2B connection in the crisis, brand purpose and marketing transformation.

More Videos

Hey there! Very interesting article, thank you for your input! I found particularly interesting the part where you mentioned that certain...

Martin Valovič

Companies don’t have policies to disrupt traditional business models: Forrester’s McQuivey

Read more

I too am regularly surprised at how little care a large swathe of consumers take over the sharing and use of their personal data. As a m...

Catherine Stenson

Have customers really changed? - Marketing edge - CMO Australia

Read more

The biggest concern is the lack of awareness among marketers and the most important thing is the transparency and consent.

Joe Hawks

Data privacy 2021: What should be front and centre for the CMO right now

Read more

Thanks for giving these awesome suggestions. It's very in-depth and informative!sell property online

Joe Hawks

The new rules of Millennial marketing in 2021

Read more

In these tough times finding an earning opportunity that can be weaved into your lifestyle is hard. Doordash fits the bill nicely until y...

Fred Lawrence

DoorDash launches in Australia

Read more

Blog Posts

Highlights of 2020 deliver necessity for Circular Economies

The lessons emerging from a year like 2020 are what make the highlights, not necessarily what we gained. One of these is renewed emphasis on sustainability, and by this, I mean complete circular sustainability.

Katja Forbes

Managing director of Designit, Australia and New Zealand

Have customers really changed?

The past 12 months have been a confronting time for marketers, with each week seemingly bringing a new challenge. Some of the more notable impacts have been customer-centric, driven by shifting priorities, new consumption habits and expectation transfer.

Emilie Tan

Marketing strategist, Alpha Digital

Cultivating engaging content in Account-based Marketing (ABM)

ABM has been the buzzword in digital marketing for a while now, but I feel many companies are yet to really harness its power. The most important elements of ABM are to: Identify the right accounts; listen to these tracked accounts; and hyper-personalise your content to these accounts to truly engage them. It’s this third step where most companies struggle.

Joana Inch

Co-founder and head of digital, Hat Media Australia

Sign in