Telstra CISO Mike Burgess says the telco has taken steps to tighten up security controls following three data breach investigations launched by Australian Privacy Commissioner Timothy Pilgrim since 2010.
The latest investigation occurred following an incident in May 2013 when it emerged that 15,775 phone numbers, names and home addresses contained in spreadsheets were found online via a Google search.
Pilgrim concluded that Telstra had breached three National Privacy Principles (NPPs).
- NPP 4.1 – failure to take reasonable steps to ensure the security of the personal information it held
- NPP 4.2 – failure to take reasonable steps to destroy or permanently de-identify the personal information it held
- NPP 2.1 — disclosure of personal information other than for a permitted purpose.
The first investigation by Pilgrim took place on 28 October 2010 when Telstra told the OAIC that a mailing list error had resulted in approximately 220,000 letters with incorrect addresses being mailed out.
Telstra disclosed that this error may have caused the personal information, including names and telephone details, of some of its customers to be improperly disclosed.
Following his investigation into the matter, Pilgrim concluded that Telstra had breached National Privacy Principle (NPP) 2 by disclosing the personal information of some of its customers to unauthorised third parties.
On 12 December 2011, Pilgrim was on the case again after Telstra’s customer service website was openly accessible on the Internet.
The telecommunications company said it was made aware of the privacy breach and disabled its online billing, BigPond self-care and My Account functions on its website.
In response, Burgess told CIO Australia that it has put a “lot of effort” into training staff about security issues.
“The challenge is not just from external hackers. If we don’t do everything possible to protect our information, we will have issues,” he said.
“If there is a data breach, you have to tell the customer or owner of that data.”
He added that Telstra CEO David Thodey has “made it very clear” in an email to staff that they need to look after customer data.
For example, his team of 240 information security staff are constantly scanning the telco’s networks and infrastructure for attacks.
“We have a program of scanning new products and websites when they are put online. These products and websites are subject to mandatory security testing and when we make changes to our systems or networks, we apply mandatory checking to those systems.
“Security is an ongoing process; we can’t sit back and relax. For me, customer privacy is our number one priority.”
When the Heartbleed bug emerged in April 2014, Burgess said that his team put security detection mechanisms in place so that it could detect the vulnerability.
“We found a number of areas where products we used had OpenSSL. They were identified, and plans were put in place to fix those products,” he said.
“We saw people scanning us, looking for that [OpenSSL] vulnerability, but we were able to shut them down.”
According to Burgess, all of the OpenSSL products that were connected to the Internet, and could be exploited externally, have been fixed.
“We have a small number of issues internally but there is no risk from someone outside of Telstra exploiting those,” he said. “The reason for that slight delay internally is we keep our networks up and running. There is change process involved to make sure we don’t impact customer services.”
Like most CISOs, Burgess has to present cyber security issues to his board. And while Telstra executives are “tech savvy”, Burgess said he takes the time to explain the issues in “normal language” including what the cyber security issue is, and what can be done about it.
“Through our risk audit committee, there are regular meetings every three months and they are hearing about the information security risks that we have identified.
“It’s our customer’s data we are looking to protect, along with our company’s sensitive information.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Read more: How to avoid a Privacy Act breach