Telstra breached the Privacy Act by sending out tens of thousands of letters to the wrong addresses, according to the Australian Privacy Commissioner, which led to the personal information of about 60,300 Telstra customers being sent to the wrong people.
In October last year, the Australian Communications and Media Authority and the Australian Privacy Commissioner Timothy Pilgrim were called in by Telstra to investigate a mail-merge error that led to 220,000 Telstra letters being sent out to incorrect addresses. The letters contained information including customer name, number and telephone plans. Over 23,000 of these letters contained silent phone numbers.
In his report today, Pilgrim found that contrary to Telstra's original estimate of 220,000 letters being incorrectly addressed, just 60,300 letters were sent in total. Of these letters, 26 per cent (or 15,400) were mailed back unopened. Pilgrim said that although the Privacy Act had been breached, it was a one-off incident.
"Our investigation has confirmed that while Telstra breached the Privacy Act when the personal information of a number of its customers was disclosed to third parties, this incident was caused by a one-off human error," he said in a statement. "It was not a result of Telstra failing to have reasonable steps in place to protect the personal information of its customers, as required by the Privacy Act."
Pilgrim said that, despite the error, Telstra had the appropriate security measures in place for ensuring customer privacy in its mail campaigns.
"In this instance, taking into account the range of measures Telstra has in place for mail campaigns, I consider that the one-off human error that occurred does not mean that Telstra failed to comply with its obligation to take reasonable steps to protect the personal information of its customers," the commissioner said.
Telstra spokesperson Craig Middleton said the telco had approached the issue very seriously and had taken steps to ensure it wouldn't happen again.
"We acknowledge the finding by the [privacy commissioner] that it was human error that circumvented our procedures, not a technical issue with our normal processes. We have also put steps in place to prevent this happening again," he said. "Telstra takes our customers privacy very seriously and we have a very good track record of maintaining the privacy of our customers' personal information."
The privacy commissioner has since closed the investigation, stating that Telstra "has adequately dealt with the matter". As the investigation was launched by the privacy commissioner, Telstra will not be subject to any penalties. However, the commissioner's office told ZDNet Australia that should an individual launch a complaint, the commissioner would have the power to potentially penalise Telstra for the data breach.
Telstra immediately alerted customers when it became aware of the privacy breach. However, if the Federal Government was to act on recommendations of the Australian Law Reform Commission's 2008 report and make it mandatory for organisations to notify the public of data breaches, this revelation would not have been optional.
In light of the recent hacking of the Sony PlayStation Network that resulted in almost 1.5 million Australian customers' personal data being stolen, Justice, Home Affairs and Minister for Privacy and Freedom of Information Minister Brendan O'Connor said that mandatory reporting for data breaches "seems necessary".