Exetel fined $694k over system 'vulnerability' for mobile number porting

Exetel has been penalised $694,000 after scammers were able to port mobile numbers to the telco and use them to steal hundreds of thousands of dollars from bank accounts.

An investigation [pdf] by the Australian Communications and Media Authority (ACMA) found that unspecified “bad actor/s” were able to port 73 numbers to Exetel through an online portal, with some required identity checks taking place.

“This occurred via a deficiency in Exetel’s system,” the ACMA said.

For a further five numbers, it appears the bad actors were able to “manipulate … systems” in some way, according to a media statement.

Details of this are redacted from the investigation report, which states only that “bad actor/s” took an unspecified action “so they could proceed with an unverified [mobile number] port.”

In total, the ported numbers were used to steal at least $412,000 from bank accounts.

“While Exetel took steps to fix its issues soon after they were identified, the simple fact is the vulnerabilities should not have existed in the first place and the people impacted should have been protected,” ACMA member Samantha Yorke said.

“These scams are often perpetrated by sophisticated criminal syndicates and telcos must ensure their online portals and forms are secure and cannot be compromised.”

Yorke added that the penalty paid by Exetel “is the largest to date for contraventions of these rules.”

The incidents took place mid last year, with the ACMA concluding its investigation back in February.