Telstra password leak breached Privacy Act

By Darren Pauli on Jun 29, 2012 11:23 AM
Filed under Security

Rapid response means no penalties.

The Australian Privacy Commissioner has found Telstra breached the Privacy Act when it exposed thousands of customer records to the public over the internet last year.

Commissioner Timothy Pilgrim said the telco breached National Privacy Principle 2.1 and 4.1 as it “did not take reasonable steps to protect customers' personal information from unauthorised access and disclosure”.

Telstra reset 73,000 customer passwords in December after an internal tool containing sensitive information for a total 806,000 subscribers — including passwords, usernames, phone numbers and addresses — were inadvertently exposed on the internet.

Approximately 734,000 records in total were exposed.

Telstra’s entire BigPond email system was taken offline, affecting up to a million users.

The telco’s incident response manager Scott McIntyre this year revealed at SC's 'Security on the Move' event that Telstra had taken down the offending site within an hour of becoming aware of the gaffe.

The Privacy Commissioner's investigation found the telco failed to properly escalate the security incident to the relevant area when it was first aroused.

It found the breach was caused in part because a Telstra employee incorrectly filling out a mandatory security compliance questionnaire before implementing the system, in a “failure to follow proper systems, processes and oversight”.

A separate but simultaneous investigation into the incident by the media regulator (doc) found that "had the Telstra staff member completed the questionnaire correctly, the relevant risks would have been identified".

"In addition to this, a small number of people failed to protect the Visibility Tool once it became clear that it could be externally accessed," it said.

"Had Telstra’s internal processes been correctly followed, the incident would have been prevented"

Telstra escaped any undertakings or further penalties from either the Privacy Commissioner or the Australian Communications and Media Authority, despite the latter organisation also finding Telstra had contravened the Telecommunications Industry Protection Code.

Both investigations were finalised without penalty thanks to the telco's rapid incident response, which it used to pull records from the internet, reset passwords and contacted customers.

“The commissioner acknowledges that on becoming aware of this incident Telstra acted immediately to restrict access to personal information, commenced an investigation into the incident and implemented a number of security and policy measures,” Pilgrim said in a statement.

“These actions could be seen as reasonable steps to protect the personal information held by Telstra from unauthorised access.”

It said Telstra had run audits, revised its Privacy Compliance Program, introduced training, and improved the involvement of the Chief Privacy Officer.

The telco has received several privacy complaints in recent months, most notably due to publicity surrounding its attempts to monitor web traffic for Next G subscribers to build a voluntary web filter.

The company halted such tracking this week after several customers referred the incident to the Privacy Commissioner, who is yet to open a formal investigation.

 
Follow us on Facebook and Twitter
 

Copyright © SC Magazine, Australia

Telstra password leak breached Privacy Act
 
 
 
 
 
Top Stories
Dicker Data pulling in $100 million a month
Beats sales projections in first quarter.
 
Evernote finds new allies in Aussie business push
Certifies first Australian consultants as local users reach 2 million.
 
Adelaide ISV rebrands after cracking $2m
Meet the new Adelaide Interim.
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Latest Comments
CRN Magazine

Issue: 332 | October 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.