Telstra account gaffe breached Privacy Act

Powered by SC Magazine
 

Privacy office drops probe due to quick incident response.

The Australian Privacy Commissioner has found Telstra breached the Privacy Act when it exposed thousands of customer records to the public over the internet last year.

Commissioner Timothy Pilgrim said the telco breached National Privacy Principle 2.1 and 4.1 as it “did not take reasonable steps to protect customers' personal information from unauthorised access and disclosure”.

Telstra reset 73,000 customer passwords in December after an internal tool containing sensitive information for a total 806,000 subscribers — including passwords, usernames, phone numbers and addresses — were inadvertently exposed on the internet.

Approximately 734,000 records in total were exposed.

Telstra’s entire BigPond email system was taken offline, affecting up to a million users.

The telco’s incident response manager Scott McIntyre this year revealed at SC's 'Security on the Move' event that Telstra had taken down the offending site within an hour of becoming aware of the gaffe.

The Privacy Commissioner's investigation found the telco failed to properly escalate the security incident to the relevant area when it was first aroused.

It found the breach was caused in part because a Telstra employee incorrectly filling out a mandatory security compliance questionnaire before implementing the system, in a “failure to follow proper systems, processes and oversight”.

A separate but contemporaneous investigation into the incident by the media regulator (doc) found that "had the Telstra staff member completed the questionnaire correctly, the relevant risks would have been identified".

"In addition to this, a small number of people failed to protect the Visibility Tool once it became clear that it could be externally accessed," it said.

"Had Telstra’s internal processes been correctly followed, the incident would have been prevented"

But Telstra escaped any undertakings or further penalties from either the Privacy Commissioner or the Australian Communications and Media Authority, despite the latter organisation also finding Telstra had contravened the Telecommunications Industry Protection Code.

Both investigations were finalised without penalty thanks to the telco's rapid incident response, which it used to pull records from the internet, reset passwords and contacted customers.

“The commissioner acknowledges that on becoming aware of this incident Telstra acted immediately to restrict access to personal information, commenced an investigation into the incident and implemented a number of security and policy measures,” Pilgrim said in a statement.

“These actions could be seen as reasonable steps to protect the personal information held by Telstra from unauthorised access.”

It said Telstra had run audits, revised its Privacy Compliance Program, introduced training, and improved the involvement of the Chief Privacy Officer.

The telco has received several privacy complaints in recent months, most notably due to publicity surrounding its attempts to monitor web traffic for Next G subscribers to build a voluntary web filter. The company halted such tracking this week after several customers referred the incident to the Privacy Commissioner, who is yet to open a formal investigation.

Copyright © SC Magazine, Australia


Telstra account gaffe breached Privacy Act
 
 
 
Top Stories
Australia's godfather of agile
Few technology leaders have seen the forces of digital disruption so repeatedly and at such close quarters than Nigel Dalton, CIO of the REA Group.
 
Photos: Innovation sprouts up among the lettuces
Inside the 21st Century farms managed from a smartphone.
 
Slow progress in Turnbullistan
[Blog post] How has the NBN moved ahead since regime change?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  23%
 
Application integration concerns
  3%
 
Security and compliance concerns
  31%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  24%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 587

Vote