Telstra promises to keep customer metadata safe

Australia's largest telco Telstra has pledged to keep the metadata it is required to store on its customers for two years safe after the data retention scheme passed the Senate last night.

The Government and the Labor Party united last night to vote through the Coalition's data retention bill, despite a last-ditch effort by the Greens and several independents to make changes to the bill.

Telcos and internet service providers will now have 18 months to prepare their systems to comply with the scheme, which will see the non-content data of customers retained for two years to aid law enforcement.

Telstra and other industry members have previously warned that the centralised systems telcos would need to build would create an attractive target for hackers.

Chief information security officer Mike Burgess in January said the centralisation would make the data much easier for an attacker to access, compared to penetrating the telco's 13 current systems.

"You would go for that system because it would give you the pot of gold, rather than working through our multitude of systems today to find that data," Burgess.

In a blog post today, Burgess said Telstra took data security "very seriously" and the telco would ensure the data to be collected was well protected.

"There is a two year period to implement the scheme and we will be using this time to make sure we have the right protections in place," he wrote.

He also pledged to store the data in Australia - the data retention bill does not place any restrictions on where telcos and ISPs are to host the data, leading to concerns that many will take the low-cost route and offshore it.

"We are still developing our implementation plans but we have already decided to store our customer metadata encrypted at facilities located here in Australia," Burgess said.

"While geography alone is not a good measure of security, storing the data in Australia should help allay the concerns of some customers."

Burgess said Telstra's security protections for the data retention scheme would build on the telco's existing infosec measures, including intrusion detection systems and active network monitoring of Telstra's network to "detect, analyse, and respond to identified security incidents".

"We understand that customer metadata has enormous value not just to our customers and law enforcement agencies but also to a range of malicious actors who may seek to gain access to our systems," he said.

"Our commitment to you is to work diligently every day to protect our networks and your data."

Burgess also recommended that customers install up-to-date security software, update their operating systems and applications as soon as possible, "have robust and varied passwords, and be aware of phishing emails and other scams that contain malicious attachments or links".

iiNet said it would store data in Australia, but it was not rushing to implement the retention capabilities "as a high business priority especially without understanding the cost contribution from the Government".

Vodafone declined to provide detail on its plans for hosting, but said it would "work with Government to fulfil our requirements" while "continuing to protect the personal information of our customers".

Optus said location of storage would be dealt with in its data retention plan.