Telstra's breach worse than Sony, Voda?
update The Australian Privacy Commissioner has launched a formal investigation into Telstra's most recent privacy breach, which security experts have damned as worse than the recent Vodafone and Sony PlayStation Network breaches.
(Broken lock image by Michael Myers, CC2.0)
In a statement today, Australian Privacy Commissioner Timothy Pilgrim said that his office had been in talks with Telstra and would be taking action.
"I have opened a formal investigation into the Telstra data breach. At a briefing today, Telstra has assured our office that the immediate problem has been rectified and that personal data is no longer accessible.
"I have asked that Telstra also provide me with a detailed written report on the incident, including how it occurred, what information, if any, was compromised and what steps they have taken to prevent a re-occurrence. I will consider all the information provided by Telstra and hope to be in a position to issue an investigation report in late January 2012."
Telstra stated that it would again brief the privacy commissioner at the end of the investigation, and that it was proactively contacting customers at the same time.
After resetting the passwords of around 60,000 users, affected customers were required to call Telstra to answer additional privacy information to regain control of their accounts. On the weekend, users were reporting wait times of about an hour. At the time of writing, wait times were down to 10 to 15 minutes.
The Australian Communications Consumer Action Network (ACCAN) has said that customers with concerns should consider making their own complaints. It recommended contacting Telstra on its hotline and failing that, raise a complaint with the Privacy Commissioner's Office.
While ACCAN welcomed the investigation, it called upon the privacy commissioner to expand the investigation to include the rest of the business.
"It’s only a matter of months since the privacy commissioner completed his last inquiry into Telstra. We believe there are now grounds to question the adequacy of the protection of customer information across all platforms," said ACCAN chief executive Teresa Corbin this afternoon.
"The last investigation into Telstra by the privacy commissioner identified a privacy breach related to a mail out, but dismissed it as a one-off human error. We think the magnitude of this breach is much more serious and should result in a wider investigation by the [Office of the Australian Information Commissioner] using independent IT security analysts.
"This is as much a test for the privacy commissioner as it is for Telstra. Customers want to know they can trust companies to keep their personal data secure. We've seen a growing number of these types of breaches this year alone and organisations must be held to account."
Sophos head of technology, Paul Ducklin, said that Telstra had reacted pretty quickly to the incident, but companies that were determined to make customer data available to remote users and third parties over the internet ought to be more circumspect as to what they publish and to whom.
"In this case, as in the Vodafone breach earlier in the year, it looks as though too many fields from too many database records were exported for external viewing," he said.
"'Need to know' says that you almost always need to slice your databases horizontally — why should every user be able to see every row, or entry, in the database? And vertically — why should every user be able to see every column, or data field, in the database?"
He said that the best way Telstra could have prevented the data from leaking was to not publish it in the first place.
ACCAN said Telstra had been holding back on the full extent of the issue.
"Telstra are telling their customers that it has had an ‘internal systems outage’, but we think this explanation only tells part of the story. Telstra has had a major privacy breach of one of its customer databases, including 70,000 usernames and passwords for BigPond accounts," Corbin said.
"This latest security breach by Telstra is simply not good enough and we, like Telstra customers, look forward to a detailed explanation as to why one of its customer service databases was available on a public web page."
IT security specialist, James Newburrie, said that Telstra had screwed up its IT security so badly that it seemed that the Cybercrime Act didn't apply.
Under the Act, unauthorised access to data is a crime if:
- the person causes any unauthorised access to, or modification of, restricted data;
- the person intends to cause the access or modification;
- the person knows that the access or modification is unauthorised; and
- one or more of the following applies:
— the restricted data is held in a Commonwealth computer;
— the restricted data is held on behalf of the Commonwealth;
— the access to, or modification of, the restricted data is caused by means of a telecommunications service.
Key to the Act is the definition of restricted data — data that is "held in a computer" and "to which access is restricted by an access control system associated with a function of the computer".
However, in Telstra's case, no access control system was put in place.
According to Newburrie, even the poorest, weakest, generic password system implemented by Telstra would have provided legal protection against accessing the information.
"Telstra didn't even bother to do that — by not implementing any access control, regardless of strength or reliability, Telstra effectively gave every would-be hacker a legally free pass to a huge amount of sensitive data," he said.
Newburrie said that this made it worse than data breaches that occurred at Vodafone and the Sony PlayStation Network earlier this year, and that it seemed that the bigger the company the more impressive the mistake.
Ducklin stated that the idea of larger companies being less likely to have data breaches was a notion Australians needed to discard.
"I'm worried that this sort of thinking implies that smaller companies might more easily be excused for data breaches of this sort," he said.
"No data breach is acceptable."
Updated at 4.54pm, 12 December 2011: added ACCAN's comments.