Telstra's retail staff have been discovered withdrawing new service orders lodged by some of Australia's internet service providers.
The misuse of supposedly confidential data between Telstra's wholesale and retail business units is contained in a compliance report tabled in Parliament. (pdf)
The case cited is not isolated. The report also details how Telstra flags accounts with non-Telstra services as "conversion opportunities" — though Telstra disputes the extent of "unfair commercial advantage" this might confer.
That fight has been stepped up over the past week over concerns Telstra is trying to limit restrictions on how it can share NBN information internally.
Telstra must convince NBN Co, ISPs and ultimately the Australian Competition and Consumer Commission that it will not use NBN data for "anti-competitive behaviour" — a task which could prove more difficult in light of today's disclosures.
Telstra is required to safeguard commercially-sensitive wholesale information from its retail business units under its structural separation commitments.
Culling wholesale orders
The compliance report, published by the ACCC, reveals how Telstra Retail staff killed an average 21 new service orders lodged by ISPs each month before the telco intervened to stop the practice last year.
The report only covers the period of 6 March 2012 to June 30 2012. It is unclear how long such practices have existed.
"As part of the activation process, employees contact Wholesale Customer end-users to confirm details such as connection address and whether a lead-in has been installed," the report stated.
"There have been limited instances of employees cancelling Wholesale Customer orders at the direction of the Wholesale Customer's end-user, believing they are fulfilling the customer's wishes."
One situation in which this might have occurred is for end-users that had retail relationships with Telstra and with an ISP that happened to be a reseller of Telstra lines.
"A shared end-user could potentially contact Telstra Retail to cancel their services, including a pending wholesale order, because the end-user had decided to use mobile instead of fixed-line services, or because their business was closing and services were no longer required," the report noted.
But it appears not all instances might have involved an end-user with shared retail relationships. The report did not specify but raised the possibility that end-users without Telstra Retail relationships also got caught out.
Instances where Telstra Retail staff cancelled pending wholesale orders were "in breach of company policy and against training/instructions to staff", the report noted.
Telstra "removed the ability for Telstra retail staff to withdraw wholesale LSS orders in August 2012". Line Sharing Service is the wholesale product used by ISPs to provide ADSL2+ using their own DSLAM equipment.
A further "system fix" was made in November 2012 "to remove the ability of Telstra Retail staff to withdraw any wholesale orders and modify most wholesale orders, with further IT changes planned to restrict the ability to modify wholesale orders".
Telstra had also moved to "reinstate orders that were incorrectly withdrawn". Telstra staff that killed the orders were "provided with further training/coaching to avert recurrence".
However, it appeared to take a specific request by the ACCC for Telstra to advise affected wholesale customers — i.e. ISPs — how withdrawn orders could be reinstated.
Investigations by the ACCC also revealed how Telstra allegedly notified its Retail staff there were non-Telstra services on a particular copper line.
The user's account would be tagged 'NON-TEL' in ordering and provisioning systems. Another system used for sales transactions displayed 'conversion opportunity' messages where an end-user acquired one or more non-Telstra services.
Telstra's retail sales consultants were then allegedly given guidance on whether the end-user had "agreed to be told information about Telstra products", meaning attempts could be made to convert them.
"Despite Telstra's guidelines, Telstra cannot rule out the possibility of some Retail Business Unit staff disregarding the guidelines and using the 'NON-TEL' indicator and [conversion] messages to gain or exploit an unfair commercial advantage," the ACCC noted.
Telstra argued the system indicators "do not prompt Retail Business Unit staff to engage in activities that would provide any unfair commercial advantage to a Retail Business Unit, or be likely to do so".
The carrier also said it hadn't uncovered "any widespread or systemic use" of wholesale data by Telstra Retail to gain an unfair advantage.
But the ACCC argued the mere existence of the capability put Telstra in breach of its structural separation obligations.
The report identified several other information security breakdowns between Telstra's wholesale and retail business units.
"Human error" was blamed for an instance where service migration data from Telstra's South Brisbane exchange relocation project found its way into the hands of retail staff, courtesy of a daily report sent out to the "cross-company project team" running the work.
Retail staff had also been able to interrogate wholesale data kept in a data warehouse and in billing systems. Those staff had since had their system privileges revoked.
The ACCC said it was continuing to investigate the breaches uncovered.
"While it is of concern that these breaches have occurred, the fact that these matters are now coming to light and are being addressed shows that the SSU is working," ACCC Chairman Rod Sims said.
A Telstra spokesman noted the issues were from "2011-12" and were "self-reported by Telstra".
"Importantly there's nothing to suggest we gained any unfair commercial advantage as a result," the spokesman said.
"We're addressing all of the issues identified through a comprehensive IT program to remediate the relevant systems."