Telco leaked info of 15,700 customers and violated privacy rulesThat’s according to the Office of the Australian Information Commissioner (OAIC) and the Communications and Media Authority, who today released a damning verdict into Telstra’s privacy practices, after several major customer data leaks online.
The probe followed the revelation by a journalist in 2013 that the personal information of 15,775 Telstra customers (from 2009 and earlier) was publicly accessible on the internet for more than a year between February 2012 – May 2013. There were at least 166 unique downloads of the records during that period.
In its report, the Privacy Commissioner, Timothy Pilgrim, found Telstra breached several National Privacy Principles (NPP), including failure to take reasonable steps to ensure the security of personal information held; failure to take reasonable steps to destroy or permanently de-identify the personal information; disclosure of personal information other than for a permitted purpose.
Telstra also contravened the Telecommunications Consumer Protections Code which require telcos to ensure customers personal information is protected from unauthorised use and have robust procedures in place.
It’s not the first time Telstra has leaked customer information – in 2011, it accidentally leaked personal data of approximately 734,000 customers online in December 2011 and again, in 2010 a mailing list error resulted in 220,000 letters being sent with incorrect addresses.
Telstra was fined $10,200 after the first breaches having failed to address ACMA’s direction to comply with privacy rules, in November 2012.
This is the maximum penalty under telecommunications legislation. The telco has now agreed to dump the software platform on which the incident occurred, establish a policy for central software management, and review contracts with third parties relating to personal information-handling.
And little wonder. From tomorrow, the Privacy Commissioner will have powers to impose fines of up to $1.7 million to companies who breach privacy legislation.
‘The ACMA welcomes Telstra’s agreement to the Privacy Commissioner’s recommendations,’ said ACMA Chairman Chris Chapman.
‘”Telco providers are in a position of trust with respect to their customers’ details and with it comes a weighty responsibility -a fact reflected in the outcomes mandated by the TCP Code.”
This incident provides lessons for all organisations – there is no ‘set and forget’ solution to information security and privacy in the digital environment. Organisations need to regularly review and improve security systems to avoid data breaches.’