Telstra shuts down systems after privacy breach

Brett Winterford | Dec 12, 2011 6:47 AM
Update: Privacy Commissioner steps in as 60,000 passwords reset.

Telstra was forced to shut down its webmail and online billing services over the weekend after public disclosure of an embarrassing privacy breach.

On Friday afternoon, a Telstra customer posted on broadband user site Whirlpool that a routine Google search for a support number revealed publicly-accessible web pages loaded with Telstra customer information including passwords, usernames, phone numbers and addresses.

The offending web pages appeared to be entries in a system hosted by Oracle-owned SaaS vendor RightNow, presumably for use by Telstra contact centre staff.

Within hours of the Whirlpool posting, journalists at the Sydney Morning Herald had reported the breach, before Telstra has been given the opportunity to resolve the issue.

The shut down disabled BigPond email, online billing services, self-provisioning and account management systems on Saturday and caused Telstra to reset passwords for some 60,000 customers.

Most systems appeared to come back online on Saturday afternoon though the telco reported ongoing problems for some customers as late as Monday afternoon.

"Rest assured, a full investigation is underway so we can put in place measures to stop this happening again," said Peter Jamieson, Telstra's executive director of customer service on the company’s blog on Saturday.

Australian Privacy Commissioner Timothy Pilgrim said today that his department would also be launching an investigation into the breach, ahead of a report next month.

"At a briefing today Telstra has assured our office that the immediate problem has been rectified and that personal data is no longer accessible," he said.

"I have asked that Telstra also provide me with a detailed written report on the incident, including how it occurred, what information, if any, was compromised and what steps they have taken to prevent a reoccurrence."

Telstra’s contact centre agents were unable to handle the volume of calls from customers concerned their details had been exposed.

“Unfortunately we are experiencing delays in answering calls due to high call volumes at the moment. We sincerely apologise if we do keep you waiting and will get through to you as soon as soon as we can,” said Danielle Horan, head of online and social media at Telstra.

The company closed down any comment on its social media site but promised comments would be published today.

Telstra representatives responding to inquiries on Twitter ambitiously offered for the company to contact all impacted customers “early in the week to discuss further".

Remember to sign up to our Security bulletin for the definitive summary and analysis of Infosec threats.