- Posted by:
Level 32, 242 Exhibition Street
Melbourne Victoria 3000 Australia
On March 11, 2014, midnight
TELSTRA has been fined $10,200 and warned over privacy breaches after an information leak exposed almost 16,000 of its customers’ private data online. In a joint investigation by the federal Privacy Commissioner and the communications watchdog, Telstra was found to have breached the Privacy Act by exposing online the data of some 15,775 Telstra customers, including 1257 silent line customers, when the telco giant failed to adequately protect the information. The breach, discovered in May last year, meant that private customer data including names, telephone numbers and home and business addresses could be found through simple Google searches. The information was available online between February 2012 and May 2013 and included information from Telstra customers from the period 2006-2009. Telstra advised that there were at least 166 unique downloads of these records. In its investigation, the Office of the Australian Information Commissioner (OAIC) found that Telstra breached the National Privacy Principles (NPP) by: failing to take reasonable steps to ensure the security of the personal information it held; failing to take reasonable steps to destroy or permanently de-identify the personal information it held and; by disclosing personal information other than for a permitted purpose.
In failing to protect its customers’ information the Australian Communications and Media Authority said Telstra also contravened the Telecommunications Consumer Protections Code, which requires telecommunications providers to ensure that the personal information of customers is protected from unauthorised use or disclosure and to have robust procedures in place to that end. “This incident is a timely reminder to all organisations that they should prioritise privacy. All entities bound by the Privacy Act must have in place security measures to protect personal information,” said Privacy Commissioner Timothy Pilgrim. Telstra has been ordered to audit its systems by June 30 to ensure the breach does not occur again. The telco has also agreed to undertake a number of actions, including closing down the software platforms on which the incident occurred, establishing a clear policy for central software management, and reviewing contracts with third parties relating to personal information-handling.
The telco has paid an infringement notice for $10,200 in relation to its contravention of the ACMA’s codes. “This incident provides lessons for all organisations — there is no ‘set and forget’ solution to information security and privacy in the digital environment. Organisations need to regularly review and improve security systems to avoid data breaches,” said Mr Pilgrim. The finding is the latest stain on Telstra’s lax privacy record. In 2012 the telco received a similar warning from the Privacy Commissioner for publishing the personal information of more than 730,000 customers online. It also received warnings for breaches of customer data in 2010 when a mailing list error resulted in about 220,000 letters with incorrect addresses being mailed out. The joint ACMA and OAIC investigation comes just days before new privacy legislation comes into effect. The new legislation will give the Privacy Commissioner new enforcement powers and the ability to issue fines of up to $1.7 million to companies found that breach sensitive customer data.
Share on LinkedIn
Share on Facebook