The Australian Communications and Media Authority (ACMA) has found that Telstra breached customer privacy obligations when it exposed the personal details of 734,000 customers online last year.
In December last year Telstra inadvertently exposed customer information online after one of its internal tools was indexed by Google and made public. The tool was designed for Telstra employees to search customer records, but anyone with access to the tool could access information about a Telstra customer's Bundle orders, including their plan, billing account numbers, first and last names and notes about their account.
The ACMA today found that Telstra had breached the Telecommunications Consumer Protection (TCP) Code by making this tool available publicly, and had exposed the addresses of 734,000 BigPond customers, as well as the usernames and passwords of up to 41,000 of those customers. The Privacy Commissioner also today found Telstra had breached the Privacy Act by its action.
Telstra reported to ACMA in early 2012 that the tool did not follow Telstra's rigid privacy and security processes. In July 2011, Telstra's legal and privacy department was made aware that the tool could be accessed online and it subsequently moved the tool behind Telstra's firewall, preventing public access. But a software restoration undertaken in October 2011 inadvertently removed the firewall protection for the tool and made it publicly available again until the fact was discovered by the public in December.
Despite the tool being made available publicly between March and July in 2011, the ACMA noted that at the time, there were very few records in the database, and it was only as a result of media attention in December 2011 that external IP addresses began accessing the tool.
Nevertheless, ACMA acting chair Richard Bean said the issue was a cause for concern.
"We are most concerned about the length of time — more than eight months — during which a significant number of Telstra customers' personal information was publically available and accessible," Bean said.
"Clearly there were gaps in Telstra's processes to identify and act on the matter prior to media reports of the disclosure."
Australian Privacy Commissioner Timothy Pilgram was concerned about Telstra staff awareness.
"Of particular concern is that a number of Telstra staff knew about the security issues with the database but did not raise them with management. This incident could have been easily avoided if appropriate planning was undertaken," he said.
"The failure by Telstra to correctly categorise the database project in its design phase as one involving customer data meant that the database did not receive the appropriate level of protection from the very beginning."
Neither ACMA nor the Privacy Commissioner can fine Telstra for this breach, however ACMA is considering issuing a directive to Telstra to comply with the TCP code, which, if Telstra has another breach, could lead to penalties. The Privacy Commissioner has asked Telstra to provide a report on its remediation project to resolve the privacy bungle.
Australian Communications Consumer Action Network spokesperson Elise Davidson said the ACMA needs stronger powers to punish Telstra for a breach like this.
"We strongly believe the ACMA needs stronger enforcement powers in order for the TCP Code to be effective. The ACMA is currently considering a new draft of the TCP Code for registration but — regardless of what's in it — without effective enforcement, telecommunication providers can continue to seriously breach their obligations without fear of any fines or sanctions from the regulator," she said.
The findings come as Telstra faces further scrutiny from the Privacy Commissioner over sending URLs visited by Next G customers to the US as part of the development of an internet filtering tool.