Telstra Breaches Personal Information of 700,000 Customers

21 August 2012

Telstra Breaches Personal Information of 700,000 Customers

The Australian Communications and Media Authority (ACMA) have announced that Telstra breached its customer privacy obligations when personal information about more than 700,000 of its customers was made accessible online during 2011.

 

On December 9, 2011, Telstra  advised the ACMA that the names and in some cases addresses of up to 734,000 Telstra customers had been accessible via a link available on the internet. Usernames and passwords of up to 41,000 of these Telstra customers had also been accessible.

 

“Under clause 6.8.1 of the Telecommunications Consumer Protections Code (TCP Code) a Carriage Service Provider must protect the privacy of each customer’s billing and related personal information,” said Richard Bean, acting ACMA chairman. 

 

The Australian Privacy Commissioner also found that Telstra breached the Privacy Act 1988, for failing to protect the personal information of users.

 

Telstra explained that they used a web-based customer management tool called the Visibility Tool to track orders for bundled products. Personal information such as usernames, passwords and addresses, and in some cases drivers licence numbers and dates of birth, were publicly accessible on the Visibility Tool from March 29, 2011, to December 9, 2011. The number of customers in the database increased from March to December, peaking at 734,000 customers by December 2011.
 

“We are most concerned about the length of time – more than eight months – during which a significant number of Telstra customers’ personal information was publicly available and accessible,” Bean said. “Clearly there were gaps in Telstra’s processes to identify and act on the matter prior to media reports of the disclosure.” 

 

Telstra has taken steps to remedy its processes and the ACMA is considering those steps and its formal enforcement response. Where the ACMA finds a TCP Code breach, it can issue the service provider involved a direction to comply with the code or issue a formal warning. However, it cannot fine or otherwise penalize the provider.


Please wait while the page is loading...

loader