In separate investigations the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (the ACMA) have found Telstra breached privacy laws . Between February 2012 and May 2013, the information of 15,775 Telstra customers from 2009 and earlier was accessible on the internet. This included the information of 1,257 active silent line customers.
The Commissioner came to the view that Telstra had breached the Privacy Act, by failing to take reasonable steps to secure personal information it held. The Commissioner also found that Telstra had unlawfully disclosed personal information.
The following events led to the data breach:
a. source files were hosted on the platform that was the subject of the data breach (platform) by a third party service provider (third party provider) on behalf of Telstra
b. Telstra requested its third party provider to extend an access control to enable authorised partners to access Telstra’s retail information via the platform
c. the third party provider deployed the requested solution on 24 February 2012; this inadvertently turned off the access control, making the source files publicly accessible online
d. Google indexed the source files on and from 23 June 2012, making the source files discoverable via Google search between 23 June 2012 and 15 May 2013, and
e. the source files were discovered and accessed by an internet user who conducted a Google search for ‘Telstra’ and two other specific search criteria; that individual alerted the media.
The Commissioner found that Telstra acted appropriately in responding to the data breach. After being notified of the breach, Telstra:
a. disabled all public access links to the source files containing the customer data, and requested Google to clear all relevant caches
b. reported the incident to the ACMA and the Telecommunications Industry Ombudsman
c. requested that the third party provider commence an internal investigation and report back to Telstra, and
d. notified affected customers, and developed a process to enable resellers’ end users to change their number as required.
To prevent future data breaches, Telstra also conducted internal reorganisation to support the central management of software and platforms by Telstra IT, increased security controls, recommended an internal review into Telstra’s use of SaaS solutions (including monitoring and ensuring that solutions employ reasonable security steps), and established a Security Exploration Team tasked with searching for any Telstra customer data that may be accessible publicly or through search robots.
As of 31 December 2013, Telstra decommissioned all instances of the platform and migrated to an internal platform managed by Telstra IT.
Telstra will also establish a clear policy for central software management (including information security arrangements), review contracts relating to personal information handling (including by enhancing Telstra’s control over third party providers), implement a data loss prevention program, adopt a Privacy by Design strategy, and exit its contract with the third party provider.
