AAPT failed to protect customer data, Privacy Commissioner finds

Internet service provider breached Privacy Act says Timothy Pilgrim

An investigation by Australian Privacy Commissioner, Timothy Pilgrim, has found that AAPT breached the Privacy Act by failing to protect customer data from unauthorised access.

The internet service provider also breached the Act by not destroying customer information that was no longer used

In July 2012, AAPT customer data held on servers hosted by IT contractor Melbourne IT, was hacked and published online by members of Anonymous.

The compromised server held a series of websites and databases that included personal information about AAPT business customers used to verify the identity of customers. This information was collected for the purpose of obtaining credit reports of AAPT business customers and transferring telephone numbers from other telecommunications carriers.

AAPT CEO David Yuile said at the time that two files were compromised and the data was historic, with limited personal customer information.

In his report, Pilgrim said that “more should have been done” by the company to manage and protect customer information.

“Using older versions of applications and software when newer versions are available is a risk that needs to be actively managed, particularly when personal information is involved,” he said in a statement.

“It was concerning that the compromised servers contained old customer information that was no longer needed by AAPT. This does not comply with the Privacy Act and organisations which do so are needlessly placing themselves in a position of risk.”

Pilgrim added that companies should ensure contracts with IT suppliers are clear about which party has responsibility for identifying and addressing data security issues.

He made a number of recommendations to AAPT including regular training for staff about data retention, ensuring all IT applications are subject to vulnerability assessment and conducting regular audits of AAPT’s IT security framework. The company has implemented the recommendations.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Tags Timothy Pilgrimaaptprivacy actdata breachprivacy commissionerAAPT CEO

More about AAPTAAPTMelbourne ITNetAppNetApp

Comments

Comments are now closed

UPDATED: 4G in Australia: The state of the nation

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]