Telstra apologetic after old customer data leaks online

The telco that said its privacy bungles 'must not happen again' has found itself apologising yet again after old customer data was found leaking into the public domain.

Old Telstra customer information has turned up in public searches after a number of internal spreadsheets from the telco were indexed by search engines.

As first reported by The Sydney Morning Herald, several spreadsheets containing customer data appeared in Google search results, containing the names, addresses, and phone numbers of customers from what appears to be as far back as October 2007.

A Google search for specific terms does confirm that the files were indexed, but no cached versions of the files appear to be listed on Google's search engine. Other search engines do appear to contain at least fragments of the files themselves.

Telstra was first informed of the leak of information by Fairfax Media on Wednesday afternoon, and has since removed the spreadsheets.

"When we learned some of our customers' details were publicly available, we immediately convened a team to have access to the data removed and commence an investigation," Telstra consumer executive director of Customer Service Peter Jamieson wrote on the company's blog.

"It is not acceptable, under any circumstances, for this to happen."

The files themselves were located on servers outside of Telstra's network, and the domain name details for the server indicate that it and the subdomain in use by Telstra are administered by Oracle. Navigating to the root domain name redirects users to Oracle's customer service and support offerings. Several other subdomains indicate that the same system is used by several others, including Optus, Virgin Mobile, and a number of Australian universities.

ZDNet contacted Oracle's Australian representatives for comment, but had not received a reply at the time of writing.

Telstra said in a statement that its early investigations into the matter show that the information is publicly available in the White Pages, but, nevertheless, Jamieson indicated that this would not result in dismissing the incident as a trivial matter.

"We are acutely aware of the possibility that some of the information may be sensitive to some," he wrote.

"We will take all steps to identify these customers and work with them on an individual basis. Additionally, we will be contacting all customers whose information was inadvertently made available."

Telstra indicated that it has informed the Privacy Commissioner of the incident.

Telstra had a similar privacy breach in December last year, when a Whirlpool forum user discovered that an internal customer service tool had been indexed by Google and made public . The failure to implement any form of authentication controls led security experts to damn the breach as worse than those experienced by Sony and Vodafone , and attracted a warning from the Australia Communications and Media Authority (ACMA) for failing to comply with the Telecommunications Consumer Protection (TCP) code.

It also led Telstra CEO David Thodey to send an email to all of its 42,000 staff, firmly warning them that privacy bungles must not happen again , because incidents like these "create an impression that Telstra does not care enough about the privacy of our customers".