Days after privacy concerns were raised over Telstra tracking websites viewed by customers, the telco has been found by the communications regulator and privacy commissioner to have made customer details public -- in breach of the Privacy Act and the Telecommunications Consumer Protections Code.
Customers' personal information on a Telstra database, the Visibility Tool, was made publicly available from 29 March, 2011 to 9 December, 2011. Customer names and phone numbers were made public and in some cases, customers’ date of birth, drivers licence numbers and credit card details were also made available.
At the time, the Visibility Tool contained 734,000 customers, with Telstra eventually resetting 10 per cent (73,000) of customers’ passwords.
Privacy commissioner, Timothy Pilgrim, found Telstra in breach of two principles under the Privacy Act, with Pilgrim stating he was particularly concerned about the length of time customer information was available.
“…I haven’t seen many [breaches] that have occurred such a long time. There have been a couple that we’ve found and investigated that have been over a couple of months, but I think eight months is a long period of time for a breach to be ongoing,” Pilgrim told Computerworld Australia. “I’d rate this as a significant breach and a serious one in comparison to a number of ones that we’ve looked at over the last few months.”
An internal report by Telstra found a series of errors around the Visibility Tool, including incorrectly labelling the project as one which did not process, store and transfer customer data, resulting in inadequate security measures being put in place.
The Telstra report also found a software restoration of the tool resulted in incorrect software settings being restored, which led to the URL with personal information being made public. The Visibility Tool was also not protected by a firewall.
“The disclosure of Telstra customers' personal information was not a result of a one-off human error but rather a series of errors that revealed significant weaknesses in Telstra's reporting, monitoring and accountability systems,” the privacy commissioner’s report stated.
“The fact that a number of people were aware of the errors and did not raise them with higher management demonstrates that Telstra's policies and procedures had not been followed on a number of occasions.”
A report by the communications regulator, the Australian Communications and Media Authority (ACMA), also stated Telstra had failed to provide it with evidence that it had adequate mechanisms in place for assessing privacy risks associated with the tool and “does not accept Telstra’s assertion that the incident was caused by a failure of a small number of people to follow its processes and safeguards rather than a failure of its processes and safeguards themselves”.
Privacy breaches by large companies like Telstra are not new, with Pilgrim expressing uncertainty over why companies like Telstra are failing to put in place adequate security measures.
“The short answer is I don’t know why they’re not,” he said. “[They] run the risk of losing customer trust when they have a breach and losing those customers … People will probably vote with their feet if they feel their personal information is not being looked after appropriately by an organisation [and] they will go to a competitor.”
Telstra issued a statement apologising for the breach.
“…We have made it clear that this particular incident is unacceptable and have taken action to prevent it from happening again," said Peter Jamieson, Telstra’s executive director of customer service.
However, Telstra found itself in hot water this week when it was found to be tracking websites visited by Next G mobile customers and sending the information to the US-based company Netsweeper.
Since the Visibility Tool breach, Telstra has embarked on a remediation project to introduce security measures to secure customers’ personal information and prevent unauthorised access. Telstra has been asked by Pilgrim to provide a progress report on the remediation by October 2012 and is also required to provide a report on the complete remediation project by April 2013.
The Office of the Australian Information Commissioner and the AMCA do not have powers to invoke financial penalties on companies for breaches. However, the Privacy Act is currently undergoing reforms, with increased powers slated for the privacy commissioner, including the ability to seek civil remedies and enforce undertakings.
“I look forward to those powers being passed by the parliament,” Pilgrim said.
Follow Stephanie McDonald on Twitter: @stephmcdonald0
Follow Computerworld Australia on Twitter: @ComputerworldAU