A joint investigation conducted by the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) found that the country’s largest telco, Telstra, breached the Privacy Act when it exposed the data of around 15775 Telstra customers, including 1257 silent line customers, after failing to provide adequate safety measures in order to protect its customers’ information.
The breach was discovered in 2013, where it was revealed that the private customer data of Telstra’s subscribers, which includes names, telephone numbers and physical addresses from the period 2006 to 2009, can be found simply by searching through Google. The joint investigation found that Telstra failed to take reasonable steps to ensure the security of the personal data they held; failed to take reasonable steps to destroy or permanently de-identify the personal information in their possession, and disclosed personal information for purposes other than those permitted.
Telstra was fined $10,200 for violating the ACMA’s codes, received a warning, and has been mandated to audit its systems to ensure that a breach does not occur again, the deadline for the audit has been set for 30 June 2014. The telco has also pledged to undertake several actions designed to mitigate the damage the breach has caused, including but not limited to:
· Shuttering of the software platform(s) that lead to the breach
· Establishing and enforcing a clear policy for central software management
· Reviewing Contracts with 3rd parties with regard to handling of personal information.
Telstra’s case is not a new one. In fact, the telco has gained a reputation for having a lax privacy record, when in in 2012 730,000 Telstra customers’ personal information were published online. There was also a bigger debacle back in 2010, when a glitch in their mailing system resulted in over 220,000 letters being mailed out with incorrect addresses.
This most recent brush in with the Privacy Commissioner should serve as a lesson and a guide for all organisations when it comes to information security and privacy in the digital environment, where it is not enough to craft solutions that will be left alone. Systems and policies should be constantly reviewed in order to catch vulnerabilities and loopholes, as well as adopt new best practices when they become available, especially following the recently implemented changes to the Privacy Act.