- Telstra coughs to mistake
- 734,000 customer details leaked
- Telstra cannot be fined
Telstra breached its customer privacy obligations when personal information about 734,000 of its customers was made accessible online during 2011, says the Australian Communications and Media Authority (ACMA).
On 9 December 2011, Telstra advised the ACMA that the names and in some cases addresses of up to 734,000 Telstra customers had been accessible via a link available on the internet. Usernames and passwords of up to 41,000 of these Telstra customers had also been accessible.
“Under clause 6.8.1 of the Telecommunications Consumer Protections Code (TCP Code) a Carriage Service Provider must protect the privacy of each customer’s billing and related personal information,” said Acting ACMA Chairman, Richard Bean.
The Australian Privacy Commissioner also found that Telstra breached the Privacy Act 1988 for failing to protect the personal information of users.
Telstra explained that they used a web-based customer management tool called the Visibility Tool to track orders for bundled products. Personal information such as usernames, passwords and addresses, and in some cases drivers licence numbers and dates of birth, were publically accessible on the Visibility Tool from 29 March 2011 to 9 December 2011. The number of customers in the database increased from March to December, peaking at 734,000 customers by December 2011.
“We are most concerned about the length of time–more than eight months–during which a significant number of Telstra customers’ personal information was publically available and accessible,” Richard Bean added. “Clearly there were gaps in Telstra’s processes to identify and act on the matter prior to media reports of the disclosure.”
Telstra has taken steps to remedy its processes and the ACMA is considering those steps and its formal enforcement response.
Where the ACMA finds a TCP Code breach, it can issue the service provider involved a direction to comply with the code or issue or a formal warning. However, it cannot fine or otherwise penalise the provider.