Telstra wholesale provider TeleChoice has agreed to pay for 12 months of credit monitoring for customers affected by a 2014 data breach.
BSB-owned TeleChoice reported the breach to the Office of the Australian Information Commissioner on April 24 this year after the security lapse was publicised on A Current Affair a day earlier.
It admitted to storing customer data in shipping containers on Victorian bushland that were easily accessible to members of the public.
The documents contained personal details of former TeleChoice customers, including passport details, drivers licenses, customer contracts and other identifying data.
It said it destroyed the documents on the same day it notified the privacy office.
The company later admitted to the OAIC that the documents had been stored in the shipping containers for almost two years before the breach occured.
They had been awaiting destruction, the company said, and had until January this year been stored in a fenced property when they were moved to a new spot.
Despite the new location in Hastings being private land, the area was unfenced and could be accessed by members of the public, the OAIC said today.
The containers were locked and checked monthly, the OAIC revealed, but at some point in April - before the scheduled monthly visit - a break-in had occured.
TeleChoice was unable to identify the individuals whose personal information was stored in the containers, the OAIC said, meaning any person who was a customer before March 31 2013 could be affected.
The OAIC today accepted an enforceable undertaking from TeleChoice, in which the provider promised to fund the cost of 12 months worth of credit monitoring for affected individuals.
The company also pledged to engage a third-party to review its information handling practices and procedures and implement the findings, and train its staff on privacy.
TeleChoice admitted to breaching Australian Privacy Principle 11 by failing to secure the data from unauthorised access and destory or de-identify the information once it was no longer required.
Privacy and information commissioner Timothy Pilgrim said he appreciated TeleChoice's co-operation during the investigation.
"This incident demonstrates the importance of businesses securing the personal information that they hold," he said in a statement.
"Physically locking a container that holds personal information is not sufficient if the container is publically accessible and unmonitored for extended periods.
"I would encourage all businesses to review their customer records storage. Australian customers expect that organisations will handle their personal information securely, and are entitled to this under the Privacy Act."