Optus rapped for three privacy breaches

The Australian privacy commissioner has accepted an enforceable undertaking from Optus after investigating three separate privacy breaches at the telco.
Written by Josh Taylor, Contributor

Optus has committed to undertake an independent review of its information security systems after Australian Privacy Commissioner Timothy Pilgrim investigated three separate security incidents.

The first incident related to the company's telephone directory listed on the Optus website. During an upgrade in February 2013, Optus accidentally published the names, addresses, and mobile phone numbers of 122,000 customers without their consent. Optus was made aware of the issue in April 2014, and notified the Office of the Australian Information Commissioner (OAIC) in June 2014.

The second incident related to Netgear and Cisco modems deployed to 197,000 and 111,000 customers, respectively, since 2008. Optus left the management ports of these modems open to allow Optus to access them remotely, but by leaving it open, it meant that customers who did not change the administrative passwords on these modems from the default could have been compromised by people who knew of the flaw.

The issue was reported by Fairfax Media in April 2014, after Optus had already secured the modems.

"Optus closed off the vulnerability by implementing access controls and modifying configuration files on all affected and newly dispatched modems to harden security on these modems by enforcing stronger password protection," the privacy commissioner said.

"There is no evidence that this security vulnerability was exploited."

The third incident related to Optus customers not being prompted for their voicemail passwords when accessing their voicemail on the Optus network.

For each of these incidents, the privacy commissioner said that a large number of individuals had the security of their personal information compromised, creating a risk of harm. The security measures in place were not reasonable for the level of the personal information held by Optus, the commissioner said.

The company was also only alerted to the breaches by third parties in each of the three cases.

As part of the undertaking, Optus has committed to engaging a third-party auditor to review Optus' practices, procedures, and systems used to protect personal information, and identify weaknesses and changes that need to be made. Optus must then implement the changes proposed as part of the report.

The undertaking was signed by Optus CEO Allen Lew.

"I appreciate the positive way in which Optus worked with our office to address these incidents. I consider that the enforceable undertaking is an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act," Pilgrim said in a statement.

"Data breaches can pose a serious threat to individuals and to the reputation of organisations. For those reasons, I recommend that all organisations and agencies develop a data breach response plan, as this will significantly improve their ability to respond to a breach."

Optus vice president of corporate and regulatory affairs, David Epstein, said Optus had taken the issues seriously, and had resolved the matters.

"Optus has cooperated with the Privacy Commissioner and provided an undertaking to obtain an independent external review of its compliance with privacy laws," he said in a statement.

"Affected customers were notified in 2014 and we worked with individuals to address their concerns at that time. We will continue to review our processes and systems to prevent future mistakes."

It comes as on Thursday, the Senate passed legislation that would require Optus, and all other Australian telecommunications companies, to store much more customer data for a period of two years.

A spokesperson for Optus told ZDNet that the company is now beginning to work on a data-retention implementation plan.

"The legislation envisages these plans and allows up to six months for each provider to settle its plan with the Attorney-General's Department. The approved plan will set out Optus' approach to complying with the retention obligations," the spokesperson said.

The company has not confirmed yet whether the data will be stored in Australia, while Telstra has said its data will be stored encrypted within Australia.

Editorial standards