The Office of the Australian Information Commissioner has found Telstra breached the privacy of more than 15,000 customers.
In a report published today, Privacy Commisioner, Tim Pilgrim, found Telstra breached the privacy of 15,775 customers between February 2012 and May 2013.
The information of those customers from 2009 was accessible on the internet and this included the information of 1,257 active silent line customers.
The OAIC’s investigation focused on whether Telstra took reasonable steps to protect customer information from misuse, loss, unauthorised access, modification or disclosure.
Pilgrim found Telstra had breached three aspects of the national privacy principles which included failure to take reasonable steps to ensure the security of the personal information it held; failure to take reasonable steps to destroy or permanently de-identify the personal information it held and disclosure of personal information other than for a permitted purpose.
In a report also published today, the Australian Communications and Media Authority found Telstra contravened clause 4.6.3 of the Telecommunications Consumer Protections Code (TCP Code) which requires telecommunications providers to ensure that the personal information of customers is protected from unauthorised use or disclosure and to have robust procedures in place to that end.
Pilgrim said the incident was a timely reminder to all organisations that they should prioritise privacy.
“All entities bound by the Privacy Act must have in place security measures to protect personal information,” he said.
Following the breach, Telstra agreed to undertake a number of actions, including exiting the software platform on which the incident occurred, establishing a clear policy for central software management, and reviewing contracts with third parties relating to personal information-handling.
Pilgrim recommended Telstra engage an independent third party auditor to certify it had implemented planned rectifications, and that the certification be provided to the Commissioner by June 30, and review its Document Retention Policy to ensure it meets the requirements of the Australian Privacy Principles, which apply from tomorrow.
Telstra has also paid an infringement notice for $10,200 in relation to Telstra’s contravention of the ACMA’s earlier Direction to Comply (which is the amount provided for in the relevant telecommunications legislation).
Pilgrim will have the power to issues fines of up $1.7 million following the introduction of changes to privacy laws tomorrow.
ACMA chairman, Chris Chapman, welcomed Pilgrim’s recommendations.
“Telco providers are in a position of trust with respect to their customers’ details and with it comes a weighty responsibility — a fact reflected in the outcomes mandated by the TCP Code,” he said.
Pilgrim said it provided a lesson for all organisations.
“There is no ‘set and forget’ solution to information security and privacy in the digital environment,” he said.
“Organisations need to regularly review and improve security systems to avoid data breaches.”
The incident was brought to light after Telstra contacted the ACMA to advise that it had learnt, via a journalist, that the names, phone numbers and addresses of around 15,775 Telstra customers had been available on the Internet.
The same journalist alerted the OAIC to the matter. Telstra also advised that there were at least 166 unique downloads of these records.
According to a OAIC statement, when Telstra discovered the problem it took steps to disable all public access links to the source and to have Google caches cleared to ensure that the data could not be accessed via a Google search.