The Australian Privacy Commissioner has found Telstra breached the Privacy Act when it exposed thousands of customer records to the public over the internet last year.
Commissioner Timothy Pilgrim said the telco breached National Privacy Principle 2.1 and 4.1 as it “did not take reasonable steps to protect customers' personal information from unauthorised access and disclosure”.
Telstra reset 73,000 customer passwords in December after an internal tool containing sensitive information for a total 806,000 subscribers — including passwords, usernames, phone numbers and addresses — were inadvertently exposed on the internet.
Approximately 734,000 records in total were exposed.
Telstra’s entire BigPond email system was taken offline, affecting up to a million users.
The telco’s incident response manager Scott McIntyre this year revealed at SC's 'Security on the Move' event that Telstra had taken down the offending site within an hour of becoming aware of the gaffe.
The Privacy Commissioner's investigation found the telco failed to properly escalate the security incident to the relevant area when it was first aroused.
It found the breach was caused in part because a Telstra employee incorrectly filling out a mandatory security compliance questionnaire before implementing the system, in a “failure to follow proper systems, processes and oversight”.
A separate but contemporaneous investigation into the incident by the media regulator (doc) found that "had the Telstra staff member completed the questionnaire correctly, the relevant risks would have been identified".
"In addition to this, a small number of people failed to protect the Visibility Tool once it became clear that it could be externally accessed," it said.
"Had Telstra’s internal processes been correctly followed, the incident would have been prevented"
But Telstra escaped any undertakings or further penalties from either the Privacy Commissioner or the Australian Communications and Media Authority, despite the latter organisation also finding Telstra had contravened the Telecommunications Industry Protection Code.
Both investigations were finalised without penalty thanks to the telco's rapid incident response, which it used to pull records from the internet, reset passwords and contacted customers.
“The commissioner acknowledges that on becoming aware of this incident Telstra acted immediately to restrict access to personal information, commenced an investigation into the incident and implemented a number of security and policy measures,” Pilgrim said in a statement.
“These actions could be seen as reasonable steps to protect the personal information held by Telstra from unauthorised access.”
It said Telstra had run audits, revised its Privacy Compliance Program, introduced training, and improved the involvement of the Chief Privacy Officer.
The telco has received several privacy complaints in recent months, most notably due to publicity surrounding its attempts to monitor web traffic for Next G subscribers to build a voluntary web filter. The company halted such tracking this week after several customers referred the incident to the Privacy Commissioner, who is yet to open a formal investigation.