Telstra has been forced to pay $10,200 after being found to have breached the Australian Privacy Act by inadvertently exposing the details of over 15,000 customers online.
In May last year the personal information of 15,775 Telstra customers, detailed on internal Telstra spreadsheets, were discovered to be publicly accessible through a Google search.
The data included customer names, telephone numbers and in some cases addresses. It also included 1257 silent line customers.
Telstra took the files offline soon after being notified, but admitted there had been at least 166 downloads of the records. Both the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (the ACMA) investigated the issue.
The OAIC revealed today the customer data dated back to 2009 and had been publicly accessible online for 15 months from February 2012.
The data was understood to reside on a third-party server not belonging to Telstra. The OAIC today said the data breach had occurred after the third-party provider inadvertently turned off an access control in February 2012 following a request for an extension to the access control from Telstra.
As a result the source files were made public online and indexed by Google from June 2012.
The OAIC said Telstra had acted appropriately by immediately disabling public links to the files, requesting Google to clear the caches, reporting the incident to the relevant authorities, requesting the third party provider investigate internally, and notifying affected customers.
But it found Telstra had failed to take reasonable steps to ensure the security of its customers’ personal information, failed to take reasonable steps to destroy or permanently de-identify the information, and had disclosed personal information other than for a permitted purpose.
The regulator ordered Telstra to audit its systems by June 30 this year.
A concurrent ACMA investigation found Telstra’s actions had contravened the Telecommunications Consumer Protections Code, as well as an ACMA direction to comply with the code, given to Telstra after it inadvertently made the personal details of 734,000 of its customers accessible online in 2011.
It was this contravention of the ACMA direction to comply that resulted in the $10,200 infringement notice.
At the time of the latest data breach, Telstra was still undergoing a remediation program related to the 2011 privacy breach which caused it to reset 73,000 customer passwords after 734,000 Telstra user passwords, usernames, phone numbers and addresses were discovered exposed online.
Telstra management have decided to decommission the third-party platform the telco had been using - understood to be a system hosted by Oracle-owned SaaS vendor RightNow - in favour of an internal solution. The platform was fully decomissioned by Telstra as of December 31, 2013, the OAIC report said.
The data breach is the latest in a string of such gaffes affecting Telstra customers in recent years. Alongside the 2011 breach, two breaches in 2010 exposed the details of just under 4000 customers, while also in 2010 the telco sent out 220,000 letters to customers containing account information of other users.
In 2012 Telstra was forced to reset the passwords of up to 230,000 GameArena and Games Shop members after the two sites fell victim to a hacking attack.
Pilgrim today said the latest incident was a "timely reminder to all organisations that they should prioritise privacy".
All entities bound by the Privacy Act must have in place security measures to protect personal information,” he said in a statement.
New privacy laws governing such breaches come into effect tomorrow.The Privacy Act 2012 provides one new set of Australian Privacy Principles (APPs), replacing the current Information Privacy Principles (IPPs) for the public sector and NPPs for the private sector.
The obligations under the new APPs remain largely the same but an entity is now required to take reasonable steps to protect personal information it holds from interference, misuse, loss, and unauthorised action, modification or disclosure.
The Privacy Commissioner will also be able to apply for civil penalties orders, of up to $340,000 for an individual and up to $1.7 million for companies.