Telstra fined $10k for breaching privacy laws when leaking customer data

Professor John McMillan, Australian Information Commissioner announces the release of the Australian Privacy Principles (APP) guidelines.

TELSTRA breached privacy laws and industry codes when it accidentally released the personal information of nearly 16,000 customers, two separate investigations have found. 

The leaked data, which included full names, addresses and phone numbers in various spreadsheet files, was accessible via a Google search between June 23, 2012 and May 15, 2013.

Telstra says it immediately disabled all public access to the data when informed of the breach in May.

In a report released on Tuesday, the Australian Privacy Commissioner, Timothy Pilgrim, found the telco had breached privacy laws by releasing the information and by failing to take reasonable steps to secure it.

However he noted that Telstra “acted appropriately in responding to the data breach”.

In a separate report released on Tuesday, the Australian Communications and Media Authority (ACMA) found Telstra had also contravened the telco consumer protection code.

At the time the breach was discovered, Telstra was already subject to a direction from the communications watchdog to improve its customer data protection following a 2011 breach involving 734,000 customers.

As a result, the ACMA issued Telstra a $10,200 infringement notice, which Telstra says it paid last week.

The leaked data, which included full names, addresses and phone numbers in various spreadsheet files, was accessible via a Google search between June 23, 2012 and May 15, 2013. Source: AFP

 

The data breach, which included more than 1000 customers who had requested anonymity from phonebooks, occurred when Telstra asked a third party IT provider responsible for the database to extend access to authorised partners.

When the third party did this, it inadvertently turned off access controls. Google later indexed the source files, which became discoverable via an online search.

Telstra said in a statement that the customer records in question “were only visible via a complex Google search and there were no significant complaints from affected customers”.

A spokesperson said Telstra has stopped using the IT platform responsible for the breach and invested in “more stringent” controls.

The telco will engage an independent third party auditor to certify that it has implemented better controls.

The results of the two investigations were released a day before sweeping new privacy laws come into force, strengthening the powers of the Privacy Commissioner.

“This incident is a timely reminder to all organisations that they should prioritise privacy,” Mr Pilgrim said.

news.com.au 11 Mar 2014

Telstra puts Australia workers into the unemployment queue, only to rehire cheap labour from overseas.

This naturally comes at a price, as the details are traded amongst other local 'companies'.

There is literally no quality control nor privacy assurance from the temporary backyard so called 'companies'.

 The $10,200 fine is an absolute joke.

Another win for Telstra and a gross breach of privacy, where the 'fine' is not nearly enough for the company to be discouraged.