Vodafone has been reprimanded for failing to confirm the identity of at least 1028 prepaid mobile customers before activating their services.
Australian telcos are required to verify customer identities before activating their services using the minimum amount of information necessary in order to aid law enforcement and national security agencies for use in their own investigations.
The breaches, which occurred between January 2015 and January 2016, were the result of a change to Vodafone's IT system, which allowed customers to claim their identity had been confirmed in-store when activating a service online, even if this was not necessarily the case.
Vodafone has since accepted an enforceable undertaking from ACMA, committing to conducting a review and risk assessment of any future changes to its IT systems and processes, implement training programs and conduct compliance audits every six months.
A Vodafone spokesperson said the company said it has been working closely with ACMA and is committed to the terms of the undertaking.
"During an upgrade to our prepaid customer activation systems over a period in 2015-2016, the system allowed a small number of customers to activate their Vodafone pre-paid services online without proper ID verification.
"Vodafone has since taken steps to confirm the identity of those customers or cancel services in cases where this verification wasn’t possible, and resolve the underlying issue.
"We can assure our customers that our systems and processes are robust, and we are continually working to ensure we act in accordance with the law."
ACMA acting chair James Cameron said: "Verifying the identity of prepaid mobile customers helps law enforcement and national security agencies obtain accurate information about the identity of customers for the purposes of their investigations.
"Telcos must check that changes to their IT systems don’t run the risk of contravening legal requirements."
Late last year, ACMA nabbed China-headquartered telco iTalkBB for breaches to the Telecommunications Consumer Protection (TCP) code for conducting direct debit transactions without giving customers appropriate time to review their bill first.