Telstra’s retail staff are continuing to use commercially sensitive wholesale customer data to benefit the company’s retail operations, but the telco has advised that its systems won’t be able to properly fence off the information until the end of this year.
The ACCC today released its second annual report into Telstra’s compliance with its structural separation undertaking (SSU).
The competition watchdog revealed Telstra is failing to meet its commitment to properly secure wholesale customer data from access by its retail employees, and continues to favour retail over wholesale customers for ADSL broadband service upgrades.
"The breaches identified in this report are examples of the perennial competition issues arising from Telstra’s vertical integration and demonstrate the importance of the SSU to ensure equivalence and transparency until structural reform of the telecommunications sector is.realised,” ACCC Commissioner Cristina Cifuentes said in a statement.
Telstra’s SSU, which was accepted by the ACCC in early 2012, outlines how Telstra will migrate its fixed-line voice and broadband customers onto the NBN.
The ACCC made its first report into Telstra’s compliance public in June last year, revealing the telco’s retail staff had been misusing supposedly confidential wholesale data to withdraw new wholesale service orders lodged by internet service providers.
The watchdog today revealed despite a number of attempts to limit the behaviour through system fixes, the behaviour continues.
The report detailed one particular case where a team leader of a Telstra retail inbound call centre had emailed their team advising them to use confidential wholesale data, accessible through Telstra’s internal systems, for potential sales leads.
The team leader told 120 retail staff to check whether a customer had a service through a Telstra wholesale provider, and then ask the customer why that service was not held with Telstra directly.
“I notice that you don’t have an internet service with Telstra, may I ask if there is a reason behind it?” Telstra retail staff were prompted to ask.
During the reporting period, that particular team received over 10,600 calls, with 780 of those labelled as leads.
Telstra said it conducted its own investigation into the behaviour and found the email did not result in any customer churning its services away from a wholesale provider and onto Telstra retail.
It said call centre staff members had only queried the end-user's services after checking wholesale data on two occasions.
After becoming aware of the issue the telco remediated the use by removing ‘conversion opportunity messages’, and gave staff refresher training on SSU obligations.
Telstra self-reported a total of 21 breaches of the SSU over the 2012-13 financial year.
It also identified 15 systems with holes allowing Telstra Retail staff to access confidential wholesale customer data; the ability of its Retail Business Unit to cancel wholesale orders; and a failure to provide the same timely access to ADSL upgrades for both wholesale and retail customers.
The breaches come despite Telstra’s ongoing efforts to train and educate staff in behavioural policies and procedures to ensure compliance with the SSU.
Wholesale customers left behind for ADSL upgrades
Telstra similarly admitted to breaching the SSU by not providing its wholesale customers the same timely access to ADSL service enhancements as its retail customers.
The ACCC report highlighted a specific issue in 2011 relating to the release of two new Telstra ADSL profiles as part of its digital business broadband and VoiP bundle.
The telco failed to make the profiles available to wholesale customers at the same time as its retail user base, and was forced to rectify the issue after being found to have breached its SSU commitments.
Systems remain open for misuse
But despite Telstra’s efforts to ensure its IT systems complied with its SSU obligations over the last year, the telco admitted its remediation program won’t be complete until the end of the year.
It said in the compliance report it could not ensure the majority of its systems would properly segregate wholesale data from retail staff until 31 December 2014.
It has, however, started the process, and has already implemented a number of remediations including the removal of wholesale customer data visibility in certain elements of a handful of systems; controls to safeguard the data; to remove search functions and access to historical data; and to control viewing and modification privileges.
The ACCC acknowledged the critical nature of the Telstra systems involved meant the company’s remediation efforts were difficult and complex. It said it will test the implemented solutions once the remediation program is complete to ensure they operate as per the SSU obligations.
It said Telstra’s internal governance arrangements and compliance training programs had so far been “generally successful” in terms of identifying most of the issues early on, and expected Telstra’s systems would prevent repeats of these types of breaches once the remediation program is complete.
A Telstra spokesperson said in a statement the company was proactively identifying gaps in its systems and investing significantly to close them.
The spokesperson said the report offered no evidence to suggest retail staff had used wholesale wholesale data to obtain "unfair" commercial advantage.
"The small number of issues identified in the report need to be seen in context. Last year we had more than 100 million interactions with our customers and end users on the Telstra network and we performed very well in delivering equivalence across all these interactions," the spokesperson said.
"Nonetheless, we acknowledge the gaps in our systems and are working to fix them."