Telstra fined over 15k customer details leaked in privacy breach

Telstra has been found to have breached Australian privacy law last year, with 15,775 Telstra customers having their private information exposed online.

Telstra has copped an AU$10,000 fine after the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) found it had breached privacy laws over the inadvertant leak of 15,775 customer details.

In May 2013 , several spreadsheets containing Telstra customer data dating back to 2009 was discovered via a Google search, and was quickly removed by Telstra. Telstra informed all affected customers, and said it had not had any "significant" complaints from customers affected.

The Oracle customer relationship platform, RightNow, which Telstra had hosted the customer data on is no longer in use by the company, and Telstra has said it has made significant investment in its system controls since the breach.

An investigation by the OAIC and ACMA found the data was available online from between February 2012, and May 2013, with 15,775 customer details online, including information associated with 1,257 silent line customers.

Privacy Commissioner Timothy Pilgrim said that Telstra breached the National Privacy Principles around taking reasonable steps to ensure the security of personal information, taking reasonable steps to destroy or de-identify personal information, and the disclosure of personal information.

ACMA also found that Telstra breached the Telecommunications Consumer Proctection (TCP) code's privacy protections.

In addition to paying an AU$10,200 fine for contravening an earlier ACMA direction to comply with the TCP code, Telstra will now also have a third-party auditor brought in to certify Telstra has rectified the matter by June 30 2014.

"Telco providers are in a position of trust with respect to their customers' details and with it comes a weighty responsibility — a fact reflected in the outcomes mandated by the TCP Code," ACMA chairman Chris Chapman said.

"This incident provides lessons for all organisations — there is no 'set and forget' solution to information security and privacy in the digital environment. Organisations need to regularly review and improve security systems to avoid data breaches," Privacy Commissioner Timothy Pilgrim added.

The fine comes just one day before the implementation of a raft of new changes to the Privacy Act come into place and put greater transparency on businesses and government agencies for their handling of customer information.