Telstra apologetic after old customer data leaks online

Telstra apologetic after old customer data leaks online

Summary: The telco that said its privacy bungles 'must not happen again' has found itself apologising yet again after old customer data was found leaking into the public domain.


Old Telstra customer information has turned up in public searches after a number of internal spreadsheets from the telco were indexed by search engines.

As first reported by The Sydney Morning Herald, several spreadsheets containing customer data appeared in Google search results, containing the names, addresses, and phone numbers of customers from what appears to be as far back as October 2007.

A Google search for specific terms does confirm that the files were indexed, but no cached versions of the files appear to be listed on Google's search engine. Other search engines do appear to contain at least fragments of the files themselves.

Telstra was first informed of the leak of information by Fairfax Media on Wednesday afternoon, and has since removed the spreadsheets.

"When we learned some of our customers' details were publicly available, we immediately convened a team to have access to the data removed and commence an investigation," Telstra consumer executive director of Customer Service Peter Jamieson wrote on the company's blog.

"It is not acceptable, under any circumstances, for this to happen."

The files themselves were located on servers outside of Telstra's network, and the domain name details for the server indicate that it and the subdomain in use by Telstra are administered by Oracle. Navigating to the root domain name redirects users to Oracle's customer service and support offerings. Several other subdomains indicate that the same system is used by several others, including Optus, Virgin Mobile, and a number of Australian universities.

ZDNet contacted Oracle's Australian representatives for comment, but had not received a reply at the time of writing.

Telstra said in a statement that its early investigations into the matter show that the information is publicly available in the White Pages, but, nevertheless, Jamieson indicated that this would not result in dismissing the incident as a trivial matter.

"We are acutely aware of the possibility that some of the information may be sensitive to some," he wrote.

"We will take all steps to identify these customers and work with them on an individual basis. Additionally, we will be contacting all customers whose information was inadvertently made available."

Telstra indicated that it has informed the Privacy Commissioner of the incident.

Telstra had a similar privacy breach in December last year, when a Whirlpool forum user discovered that an internal customer service tool had been indexed by Google and made public. The failure to implement any form of authentication controls led security experts to damn the breach as worse than those experienced by Sony and Vodafone, and attracted a warning from the Australia Communications and Media Authority (ACMA) for failing to comply with the Telecommunications Consumer Protection (TCP) code.

It also led Telstra CEO David Thodey to send an email to all of its 42,000 staff, firmly warning them that privacy bungles must not happen again, because incidents like these "create an impression that Telstra does not care enough about the privacy of our customers".

Topics: Security, Oracle, Privacy, Telcos, Telstra

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It Took An Entire Team to Remove the Documents from the Web???

    "..we immediately convened a team to have access to the data removed.."

    And I thought AT&T was run by the technically incompetent (who else sells mobile devices and does not have a mobile optimized web site?). I can't say for sure but as hard it is for me to believe Telstra may take the crown.

    On the top of my AT&T stupid stuff (a very long list) is when you enter your user id and password, they come back with a message say "This may take a few moments, depending on your Internet connection speed." For those of you that are not running a technology based company and have no reason to understand how stupid this is, I will explain.

    Once you have submitted you user id and password there is no data being transmitted over the Internet. Your Browser is sitting idle, patiently (impatiently in my case) waiting for a response. No data is being transferred during the wait.

    Now Oracle. The Blind (Oracle) leading the more blind (Telstra). Case in point Logitech.

    I have a support account with Logitech. I had not used it in years. I no longer remembered my password. They have a way to recover forgotten passwords. They then emailed me my password. First of all emailing a password is insecure and a very stupid thing to do. Secondly, no one should EVER store a password.

    The way passwords are supposed to work is when you enter your chosen password, the system is supposed to create "cryptographic hash" using your password. The hash is saved. When you log in the password is used to generate the hash using the same hashing algorithm. Then the system compares this hash to the hash stored in the user database table.

    The purpose is this method is, if there is a beech of security, no passwords can be leaked. If Logitech can send me my password, they are doing this all wrong.

    It is Oracle that provided Logitech with this customer service system.

    How a list of customer's private data ends up in a public accessible folder is beyond comprehension. It is difficult to fathom how a company could do something so stupid.

    I even doubt, even as stupid as the idiots running AT&T are, they could do something this stupid.

    Do not hold your breath waiting for an Oracle comment. They could not possible be that stupid. Or are they?

    It is still a toss up who get the dunce cap, AT&T or Telstra? It's a tough call. As the tie breaker I set my Browser to mimic a mobile phone. I tried Telstra and giving credit were credit is due, a minimal it is, Telstra attempted to provide a mobile optimized page. The problem it took 12 seconds for the page to load on a high powered PC. This equates to at least a minute or more for a minimally powered "smart" phone to render the page. Pathetic.

    Next I did the same with AT&T. After about a minute or so I gave up waiting to find out how long it would take for the page to render.

    Now it's down to a flip of a coin between these two "Industry Leaders".

    Can anyone say "To Hell in a hand Basket"? Isn't a Lovely World we live in. I wish I was as stupid as these Industry Leaders then I would not know just how horrific thing are.
  • Time for something stable

    The need of the hour is having a secured spreadsheet tool. We as customers need a tool which has to be very secure.
    I woud like to share this one which we are currently using its CollateBox, have a look at this one,