The Australian Privacy Commissioner, Timothy Pilgrim, has found AAPT Limited breached the Privacy Act by failing to adequately protect customer data from unauthorised access. The Commissioner also found that AAPT had failed to comply with its obligation to destroy or permanently de-identify information no longer in use(see Investigation Report here).

In July 2012, AAPT customer data held on servers hosted by IT contractor Melbourne IT, was hacked and published online.

The compromised server held a series of websites and databases that included personal information about AAPT business customers used to verify the identity of customers and provide a quoting and billing system for AAPT sales staff. The personal information included information collected for the purpose of obtaining credit reports of AAPT business customers and information used for the purpose of transferring telephone numbers from other telecommunications carriers.

AAPT took the server offline immediately and worked closely with Melbourne IT to investigate and rectify the incident. A configuration change to the server by Melbourne IT closed the vulnerability exploited by the hacker.

The Commissioner made a number of recommendations to AAPT including implementing regular training for staff in relation to data retention and destruction, ensuring all IT applications are subject to vulnerability assessment and testing, as well as ensuring effective lifecycle management, and conducting regular audits of AAPT’s IT security framework. AAPT has implemented these recommendations.

Separately, the Australian Communications and Media Authority found that AAPT contravened clause 6.8.1 of the Telecommunications Consumer Protections Code by failing to protect the privacy of small business customers whose personal information was stored in a server which was the subject of unauthorised access.

Because of the terms of its contract with AAPT, no findings were made against Melbourne IT.