Optus confirms data breach on Freelancer.com

A number of Optus customers had their personal information revealed in a spreadsheet posted by debt collector firm ARC on Freelancer.com.

Telecommunications provider Optus has confirmed reports by publication Crikey that personal customer data was breached when an employee of ARC Mercantile posted a spreadsheet of customers owing money to Optus on Freelancer.com in November.

According to the Crikey report, the ARC staff member had been attempting to hire a freelance worker to analyse the data, which included names, addresses, dates of birth, emails, phone numbers, and their history of debt collection, with 51 people accessing the data.

"Optus takes the protection of customer data and privacy seriously," an Optus spokeswoman told ZDNet in a statement.

"Optus has become aware that an employee of a third-party supplier posted a document containing customer data to a public website. This action was unauthorised by Optus and its supplier, ARC."

Both Optus and ARC voluntarily reported the breach to the Office of the Australian Information Commissioner (OAIC), with Optus also notifying affected customers.

"We are pleased to see that Optus has notified affected individuals about this incident," the OAIC said.

"Notification can be an important mitigation strategy that has the potential to benefit both the organisation and the individuals affected by a data breach. The OAIC strongly encourages notification in appropriate circumstances as part of good privacy practice."

Crikey has also reported the number of customers whose data was breached as being 31,150, though the telco did not comment on this.

Optus did say that it is undertaking an investigation into the matter, however.

"As soon as Optus became aware of ARC's action, we acted swiftly to remove the data and conduct a full investigation into the incident," the Optus spokeswoman added.

"ARC is cooperating with Optus and is undertaking all due diligence requested by Optus, including reporting the matter to relevant authorities."

The OAIC has yet to determine whether it needs to take further action under its privacy regulatory action policy.

Australian Privacy Commissioner Timothy Pilgrim, who was reappointed as privacy commissioner in August, has historically taken a hard line against companies that cover up data breaches, saying last November that the concealment of a data breach "will not be looked well on by our office".

The privacy commissioner had fought for the inclusion of a provision whereby data-breach notifications would be mandatory should a leak of the data occur under the mandatory data-retention legislation that came into effect in October.

"By creating a large repository of personal information, the proposed data-retention scheme increases the risk and possible consequences of a data breach," Pilgrim stated in January.

"This is because the challenge of effectively securing that information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure will become more difficult as technology evolves."

He argued that telcos already receive a high number of complaints, with 13 investigations having taken place since he took the office in 2010 -- such as when Telstra made the details of 734,000 customers accessible online in 2011.

Earlier this month, however, it became clear that the earliest Australia will have a mandatory data-breach notification scheme will be 2017, thanks to the Attorney-General's Department releasing its exposure draft of amendments to the Privacy Act to create such a scheme in the last week of Parliament.

The OAIC received 77 calls specifically about data-breach notifications during FY15, with the telecommunications industry coming in at sixth place for the most commonly complained about sectors.

Optus' services have increasingly come under fire; earlier on Thursday, the Australian Competition and Consumer Commission fined Optus AU$51,000 for making false claims about the speed of its hybrid fibre-coaxial (HFC) network, while the Telecommunications Industry Ombudsman reported that Optus' complaints ratio, measured per 10,000 services in operation, stood at 6.7 -- a rise of 45.7 percent year on year.

The TIO's Annual Report 2014-15, published in October, also revealed that customer complaints about Optus had increased substantially -- 31.5 percent over the year, from 14,144 during FY14 to 18,601 in FY15.

Last month, a leaked draft by the National Broadband Network (NBN) company also revealed that Optus' HFC network is "not fully fit for purpose", with 470,000 premises in the footprint needing to be overbuilt by either Telstra HFC or fibre services.