Telstra staff, systems errors expose wholesale data

Telstra is still failing to properly protect sensitive wholesale information from its retail business four years after agreeing to structural separation.

The issue has plagued Telstra since it signed the structural separation undertaking (SSU) in 2012.

The undertaking requires the telco to safeguard wholesale information from its retail operations so the latter cannot gain an unfair competitive advantage.

However, in each of its four annual reports into Telstra's compliance with the SSU, the ACCC has found breaches of the undertaking - albeit in declining severity.

While the ACCC said Telstra has improved and was committed to increasing its level of compliance with the SSU, it was still finding instances of unauthorised disclosure of sensitive wholesale customer data.

"Similar to previous years, the most common SSU compliance issue in the period was Telstra’s failure to prevent unauthorised disclosure of protected information," the ACCC said in its 2014-15 report, released today [pdf].

It blamed the problems on outstanding lT issues related to legacy systems, as well as a number of "isolated" incidents attributed to staff error.

Telstra has been engaged in a wige-ranging remediation program for its legacy IT systems since 2014, however the project has extended out beyond the original December 31 2014 deadline.

The ACCC today said most of the work had been completed in March last year, but new issues with three IT systems had since come to light.

The telco was working on addressing these issues with the ACCC and an external consultant and had temporary measures in place to segregrate retail staff from wholesale data, the ACCC said.

The breaches

Regardless, in several "isolated" instances, wholesale information was "inadvertently" disclosed to retail staff in error "either by email or verbal disclosure", the report stated.

On another occasion, several retail staff accessed a meeting room in secure Telstra Wholesale premises without any wholesale staff being present due to a scheduling mistake, the report revealed

Telstra self-reported the four breaches to the ACCC, the watchdog said.

One of the breaches related to a Telstra retail employee being copied in to a wholesale employee email chain after one staff member chose the wrong name from Outlook.

It meant the retail staffer had access to names of certain wholesale customers, including one who had chosen not to go with Telstra for retail services.

Telstra told the ACCC it had identified the issue on the same day and issued a recall message, and ordered the retail staffer to delete the email. It said it had coached staff to ensure the same issue did not recoccur.

A separate breach also saw a retail staff member sent sensitive wholesale customer information via email, the ACCC said.

A former Telstra wholesale employee, on her first day in a new job in Telstra's retail business, was included in a group email that detailed service information for a specific wholesale customer.

The ACCC said the staffer had received the email because of a failure to update her privileges from her previous role.

In another case, Telstra said it became aware in November 2014 that two call centre teams had the ability to process retail orders whilst also being able to access wholesale customer information, breaching the SSU.

As a result, the telco created access profiles for staff which mask wholesale customer information from them in shared systems. It is still working on remediating two systems and said it would have the matter resolved by the second quarter of this year.

In the fourth breach, a network services employee gave a retail staffer information about a wholesale service on a particular customer after the user called in to ask why their order for a retail ADSL service had failed.

"The retail business unit employee accessed an IT system that included a note made by another Telstra employee to the effect that there was a held wholesale order on the relevant line," the ACCC wrote.

"The retail business unit staff member called a network services business unit employee for further information. During the call, the network services business unit employee confirmed the existence of the wholesale order but provided no further details."

Telstra told the ACCC the incident was a one-off and said it had trained the employees involved on correct procedures.

IT systems issues

The watchdog also found a handful of issues related to the ability for retail staff to view wholesale information through gaps in Telstra's IT systems.

Two related to free text fields in separate solutions containing wholesale data viewable by retail employees; another in a user interface meant retail staff could discern that the customer's number was associated with a wholesale service; and another allowed retail staff to see wholesale service information within a corporate reporting portal.

Telstra's IT systems remediation project covers 42 IT systems across the business. Most of the work has been completed but a small amount is still ongoing.

"The ACCC understands the remediation project has been complex and has involved systems changes, process and operational changes as well as behavioural controls where the system is unable to be fully separated," the ACCC wrote.

The last major piece of remediation work is to its data warehouse reporting, which includes historical information about a "small percentage" of wholesale customers accessable by retail staff.

"The ACCC recognises that Telstra has made a significant investment in its IT system remediation project and appears committed to improving compliance with its SSU obligations in this area," the watchdog said.

The ACCC said overall, it was pleased with Telstra's progress towards complying with the SSU.

The telco this year has avoided some of the major breaches evident in past compliance reports.

In 2013, the ACCC discovered retail staff had been cancelling wholesale service orders lodged by other internet service providers.

Last year, the ACCC reported that Telstra staff were treating wholesale and retail phone customers differently by closing more wholesale faults without addressing the problem than retail issues.

Telstra said it had proactively identified the gaps in its systems noted by the ACCC and undertaken a "comprehensive program" to remediate them.