Telstra has breached the rules of the structural separation undertaking (SSU) because a shared system between Telstra Wholesale and Telstra Retail had protected wholesale customer information that the retail arm of the company could easily access.
As part of the AU$11 billion deal with the government and NBN Co, Telstra agreed to structurally separate its wholesale and retail fixed-line companies so that the two are not able to share information that would ultimately give Telstra Retail an advantage over its retail competitors such as Optus, iiNet, and TPG.
A report into the structural separation of Telstra provided by the Australian Competition and Consumer Commission (ACCC) to the Australian government found that Telstra was in breach of these rules in seven areas.
In customer orders, Telstra's retail staff were able to access end-user details, wholesale order details, and wholesale customer identifier through a shared information system, where some retail staff had sufficient privileges to be able to access the protected information.
The ACCC also found that access controls could be overridden in some circumstances, which would allow more staff to access the wholesale information.
Retail employees were also able to cancel pending wholesale orders, and the ACCC found that there were approximately 21 of these cancellations every month.
Telstra's retail staff could also access the fault reporting system and see the status of the fault reports of other retail providers' customers.
Telstra retail staff working on the South Brisbane fibre project were also given aggregated numbers of wholesale services that need to be migrated from the decommissioned copper network over to the fibre.
A small number of Telstra retail staff were found to have access to a mainframe that acts as a reporting platform and data staging area for downstream systems, as well as an OSS database, a data warehouse for wholesale activation, assurance outage and complaint information, and a repository for billing, complaints, faults, and activation.
A single product manager in Telstra's innovation products and marketing unit, who is responsible for retail pricing, was found to have access to Telstra's wholesale billing system.
Telstra was also found to be in breach of the rules because it did not report the breaches.
In response, Telstra is remediating its IT systems to ensure that they are compliant with the security requirements in the SSU. However, many of the systems involved are seen as being "critical systems", with hundreds of thousands of transactions occurring daily, so changes will take considerable time.
Telstra, in the meantime, is revoking access to some systems from all Telstra outbound call centres, and is implementing new guidelines and warnings to retail staff about access to wholesale customer information.