The Australian Communications and Media Authority (ACMA) have announced that Telstra breached its customer privacy obligations when personal information about more than 700,000 of its customers was made accessible online during 2011.

On December 9, 2011, Telstra  advised the ACMA that the names and in some cases addresses of up to 734,000 Telstra customers had been accessible via a link available on the internet. Usernames and passwords of up to 41,000 of these Telstra customers had also been accessible.

“Under clause 6.8.1 of the Telecommunications Consumer Protections Code (TCP Code) a Carriage Service Provider must protect the privacy of each customer’s billing and related personal information,” said Richard Bean, acting ACMA chairman. 

The Australian Privacy Commissioner also found that Telstra breached the Privacy Act 1988, for failing to protect the personal information of users.

“We are most concerned about the length of time – more than eight months – during which a significant number of Telstra customers’ personal information was publicly available and accessible,” Bean said. “Clearly there were gaps in Telstra’s processes to identify and act on the matter prior to media reports of the disclosure.” 

Telstra has taken steps to remedy its processes and the ACMA is considering those steps and its formal enforcement response. Where the ACMA finds a TCP Code breach, it can issue the service provider involved a direction to comply with the code or issue a formal warning. However, it cannot fine or otherwise penalize the provider.