Telstra has issued a formal apology to affected customers after phone numbers, names and home addresses contained in spreadsheets were found online during a Google search.
SMS Broadcast owner, Lee Gaywood, contacted the Sydney Morning Herald and said that he found the data when searching on Google for telco carrier access codes. According to Gaywood, he needs to know the codes for his SMS service to work.
Telstra took the files offline on 15 May after being notified of the breach by Fairfax, according to the SMH report.
A Telstra spokesman told Computerworld Australia that the company takes customers’ privacy “very seriously” and it was investigating the issue.
“We have since removed access to the data and early indications show is it is generally the same type of information you can find publically in the white pages, and we believe at this point it's more than six plus years old,” he said.
The spokesman added that that the Privacy Commissioner, Timothy Pilgrim, had been fully informed.
Telstra customer service executive director Peter Jamieson said in a blog posting that it was “not acceptable” for the incident to have occurred.
“I apologise and assure everybody that we’ll find out exactly what has happened here and do everything we can to make sure this does not happen again,” he said.
According to Jamieson, the telco was taking steps to identify affected customers and work with them on an individual basis.
“Additionally, we will be contacting all customers whose information was inadvertently made available.”
Telstra has been investigated by the Privacy Commissioner twice for data breaches in the past three years.
The first investigation took place on 28 October 2010 when Telstra told the Office of the Australian Information Commission (OAIC) that a mailing list error had resulted in approximately 220,000 letters with incorrect addresses being mailed out.
Telstra disclosed that this error may have caused the personal information including names and telephone details of some of its customers to be improperly disclosed.
Following his investigation into the matter, the Privacy Commissioner concluded that Telstra had breached National Privacy Principle (NPP) 2 by disclosing the personal information of some of its customers to unauthorised third parties.
On 12 December 2011, Pilgrim was on the case again after Telstra’s customer service website was openly accessible on the Internet.
The telecommunications company said it was made aware of the privacy breach and disabled its online billing, BigPond self-care and My Account functions on its website.
Account details including account numbers, phone numbers and credit card details of just fewer than one million Telstra customers were potentially compromised by the breach.
Follow Hamish Barwick on Twitter: @HamishBarwick