The Australian Privacy Commissioner has accepted an enforceable undertaking from Singtel Optus, following three privacy security incidents where the security of personal information held by Optus was compromised.

The Commissioner was concerned that Optus did not have reasonable steps in place to safeguard the privacy security of personal information held in its systems at the time the incidents occurred, and as required by APP 11.

In particular the Commissioner was concerned that the security of personal information of a large number of individuals was compromised as a result of each of these incidents (over 100,000 in each incident). The White Pages incident resulted in the disclosure of the contact information of silent line customers.

In each case, there was a failure by Optus to detect the incidents; the incidents were brought to Optus’s attention by third parties. This resulted in substantial delays in Optus taking action to contain each incident, which also prolonged the duration of the risk to affected individuals.

Optus made a voluntary data breach notification of the three privacy incidents and took steps to contain the incidents once it became aware of them.

The undertaking requires Optus to obtain an independent review of its information security systems and implement any recommendations.

‘White Pages’ incident

In February 2013, Optus made a change to its website at www.optus.com.au. Due to a coding error that occurred during this change, between February 2013 and April 2014, when Optus customers who had elected not to have their details listed in a telephone directory completed a rate plan change via Optus’s website, Optus’s systems erroneously changed the White Pages listing preferences for those customers from ‘No’ to ‘Yes’. As a result, the names, addresses and mobile phone numbers of approximately 122,000 Optus customers were listed in the White Pages online directory without the consent of those customers. The information of the majority of those customers was also published in various print editions of the White Pages.

Optus was made aware of the issue through a customer complaint in April 2014, and notified the OAIC about the issue on 3 June 2014.

‘Modem’ incident

Optus made a change to its network in relation to particular Netgear and Cisco modems, which it began deploying in November 2008 and March 2009 respectively. As part of the change, Optus deliberately left the management ports for these models of modems open, incorrectly assuming they were only accessible for network management purposes. In addition, Optus issued 197,000 of the Netgear modems and 111,000 of the Cisco modems to its customers with factory default settings, including user default names and passwords in place. Optus also did not conduct connectivity testing. These two issues in combination meant that Optus customers using the equipment who did not change the default user name and passwords were left vulnerable, potentially allowing a person to make and charge calls as though they were the Optus customer.

Optus became aware of the issue through the media in early April 2014,[1] and notified the OAIC about the issue on 17 April 2014. On or about 4 April 2014, Optus closed off the vulnerability by implementing access controls and modifying configuration files on all affected and newly dispatched modems to harden security on these modems by enforcing stronger password protection.

There was no evidence that this security vulnerability was exploited.

‘Voicemail’ incident

Between September 2013 and 13 May 2014, a flaw in Optus’s security processes led to certain customers not being prompted for their password when attempting to retrieve voicemail information from outside the Optus network. Optus did not identify the issue during testing. Consequently, where customer voicemail accounts were not password protected, some Optus customers were vulnerable to ‘spoofing’ attacks, where an unauthorised party could potentially access and use customer voicemail accounts messages, including being able to listen to recorded messages and change settings and preferences.

Optus was made aware of the issue by a third party on 28 April 2014, and notified the OAIC about the issue on 14 May 2014.

The reviews

The independent reviews include a review of the additional security measures Optus adopted in response to the Privacy Incidents.

These additional security measures include:

• Enhancing Optus’s monitoring program of change management that has the potential to affect the security of its customers’ personal and sensitive information;
• Enhancing Optus’s penetration testing: for fixed and mobile services; on all major IT projects as part of Optus’s Security Risk Assessment process; and as part of its annual monitoring program.

Specific tests required include:

• a review of Optus’s vulnerability detection processes across the organisation concerning the security of personal information.
• a service level security posture assessment;
• an architecture review of Optus’s principal IT systems (top 20 applying a risk based approach) involved in storing and handling personal information; and
• A review of Optus’ new voicemail platform.