Telstra’s security slip-up was a breach of the Privacy Act

 In Identity Theft, Industry News, Privacy Commissioner

Back in December 2011 a customer discovered the identity details of 734,000 Telstra Australia customers had been exposed to possible identity theft and misuse by being easily accessible through a Google search. The Privacy Commissioner, Timothy Pilgrim immediately stepped in to investigate. After a 6 month-long investigation, Mr Pilgrim and the Australian Communications and Media Authority (ACMA) has found Telstra has breached both the Privacy Act, and the Telecommunications Consumer Protections Code. We look at how this occurred, and what the implications could be for Telstra, and for you and your credit file.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and

In the New Year, we reported on this massive privacy issue, which affected more than 700,000 customers, including myself in our post Telstra’s at it again. And this time it may affect YOU. Here is an excerpt from the December 12 media release:

The Sydney Morning Herald reported on Friday a user of the Whirlpool forum stumbled upon the “Telstra bundles request search” page after doing a Google search for a Telstra customer support phone number they were told to contact.

SMH reported the information of any Telstra customer was searchable even by last name, bringing up the customer’s account number, what broadband plan they were on, what other Telstra services they were signed up to and notes associated with the customers’ accounts including in many cases their usernames and passwords.

There were also other details about technician visits, SMS messages sent to private mobile numbers and credit check details.
Telstra has reportedly reset approximately 60,000 customer passwords as a precaution (

Telstra bundle customer, Graham Doessel is one of those potentially at risk.

He also happens to be the CEO of a company dealing in credit repair for people who have been unlawfully blacklisted from borrowing facilities. He says as much as 50% of his clientele who present with credit file errors and inconsistencies are Telco customers, and many of those are Telstra customers.

“This data breach is a crucial example of how errors occur so easily in the Telco industry. Unfortunately they have the potential to severely damage someone’s financial future.”

“Every day we deal with customers who can’t get a home loan, because their credit rating is damaged by improper execution of policies and procedures in the Telco industry,” Mr Doessel, of MyCRA Credit Repairs says.

Mr Doessel is concerned he is amongst those Telstra customers whose personally identifiable information may have been viewed, and copied for purposes of fraud during the time the information was readily available on the internet.

“The issue is about both our possible stolen passwords, and our possible stolen personal details – a huge commodity for fraudsters. What’s to say fraudsters haven’t jumped on the internet while this information has been available and copied it?”

“Personal details are the building blocks for constructing a fake identity. Once someone has fake ID documents, they can take out significant amounts of credit in the victim’s name. Often people don’t find out about it straight away and that can result in defaults from creditors and massive long term credit issues,” he says.

Outcome of the investigation

Mr Pilgrim found in his investigation that a number of internal errors occurred in the lead up to the incident in December 2011.

“I found the privacy breach occurred because of a series of errors revealing significant weaknesses in Telstra’s reporting, monitoring and accountability systems”, Mr Pilgrim said in a statement to the media.

“Of particular concern is that a number of Telstra staff knew about the security issues with the database but did not raise them with management. This incident could have been easily avoided if appropriate planning was undertaken”.

“The failure by Telstra to correctly categorise the database project in its design phase as one involving customer data meant that the database did not receive the appropriate level of protection from the very beginning”.

The Commissioner found Telstra to be in breach of two National Privacy Principles under the Privacy Act 1988:
•National Privacy Principle 2.1 (Use and disclosure)
•National Privacy Principle 4.1 (Data security)

Mr Pilgrim warned businesses of the importance of conducting a Privacy Impact Assessment (or PIA) when commencing new projects.

“Build your privacy in at the beginning, don’t bolt it on as an afterthought. All businesses should conduct a PIA to make sure that potential privacy risks are considered at the start of any project and that risk mitigation strategies are put in place”.

Implications for Telstra

Telstra has committed to a remediation project to introduce significant measures to protect the security of the personal information it holds and prevent unauthorised access and disclosure in the future. The Commissioner closed the investigation after reviewing the remediation plans Telstra has in place.

In ceasing his investigation into the matter, the Commissioner asked Telstra to provide him with a report on the progress of the remediation project by October 2012. He also asked Telstra to provide to him with a report on the completion of the remediation project by April 2013.

No penalties enforced

Mr Pilgrim said The Privacy Act does not give him the power to impose any penalties or seek enforceable undertakings from organisations he has investigated on his own initiative. However, he did say the privacy law reforms that are currently before Parliament – the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 will provide him with additional powers and remedies when conducting such investigations in the future.

The Sydney Morning Herald reported in its article Telstra’s 734,000 account privacy blunder breached multiple laws: regulators that Telstra appears to have escaped financial or other penalties for now, which has angered consumer groups.

“We strongly believe the ACMA needs stronger enforcement powers for the Code to be effective,” said Elise Davidson of the Australian Communications Consumer Action Network.

“The ACMA is currently considering a new draft of the TCP Code but – regardless of what’s in it – without effective enforcement, telecommunication providers can continue to seriously breach their obligations without fear of any fines or sanctions from the regulator.”

And Yet Still More Data Exposed

Even before the deliverance of the Privacy Commissioner’s finding on the account scandal, Telstra has also been embroiled in another data scandal involving the tracking of its customer’s internet data useage. The ABC reports in its article Telstra accused of tracking Next G internet use:

Telstra has been accused of tracking the internet use of its Next G mobile phone users and sending their internet history to a company in the United States.

One of the telco’s customers discovered that when he visited a website using his Next G network in Australia, a server in the United States would visit the same address almost instantly.

Telstra says it is collecting the information for use in a new internet filter product, but internet users are outraged and are demanding the Australian Privacy Commissioner investigate.

For an update to how this particular breach occurred, and what has been discovered so far, check out the IT News article Telstra: Oh what a tangled web we weave written yesterday.


Perhaps not Telstra’s finest hour on Privacy Issues, nor Australia’s finest hour on Privacy Law.

How To Protect Your Credit File After a Data Breach

Whilst there have been no official reports of any identity theft cases from this particular security breach, we look at what you should if you find yourself in this situation in the future, with any company that holds your personal information.

1. Change passwords. Even if Telstra hasn’t advised you otherwise, go in and change your password. If you have that same password for unrelated accounts, change that as well.
2. Check your credit file. Obtain a free copy of your credit file and check there is nothing suspicious already present on your credit file.
If you see suspicious activity on your credit file, or your credit accounts….
3. Alert your Creditors you may be at risk of identity theft. This will allow them to ‘flag’ your accounts and halt any suspicious activity.
4. Alert credit reporting agencies. They can put an alert on your credit file which informs you of any changes to contact details, or suspicious credit enquiries you may not have initiated.
5. Consider making a complaint to the Privacy Commissioner. If you firmly believe you have been a victim of identity theft through a company data breach or breach of personal information, you should visit the Privacy Commissioner’s website to determine if you have a valid complaint to make, and how to go about making it.
6. If your credit file has been damaged, get help to repair it. If you have been exposed to identity theft, and you have credit listings which should not be there, contact a professional credit repairer, who can talk to you about clearing your bad credit and recovering your good name.

Image: Stuart Miles /



Recommended Posts
  • Deborah

    Sometime last year (unknown to me), Telstra facilitated the theft of my identity by delivering a mobile phone to an unknown person without verifying and / or sighting any credible identification ie NSW drivers license. NSW Police confirmed this information to me in February 2017. This purchase was too easily achieved through Telstra’s online website. Further, I am not a customer nor client of Telstra.

    I am concerned this type of fraud might also enable criminal activity and terrorism as I think recent counter terrorism laws now require significant forms of photographic identification for the purchase of pre paid mobile devices to maintain secure records of individuals.

    I alerted Telstra to the fraudulent online purchase when I received an overdue account in January 2017. I made a Police report and attended in person to a Telstra shop to inform them. I have also made numerous calls and sent several emails to Telstra alerting them.

    Telstra have continued to intimidate and harass me with letter of demand through a debt collection agency, despite me providing excessive proof of my identity ie copy passport; drivers license; police report case number and two Stat Declarations.

    Have Telstra breached any privacy laws considering they forwarded my personal data to a debt collection agency especially as I not a Telstra customer and did not enter or agree to any contract with them?

    They inform me they will not commence a ‘fraud review’ until I supply them with further personal identification ie 3 forms of photo identity & proof of my address at time of this transaction, again despite having Police confirmation of illegal activity ie false license number.

    Out of interest, I searched ‘Telstra identity theft’ on the Whirlpool Forum website and learned that many people had also been exposed to identity theft enabled by Telstra with their online purchase page. It might be that this type of fraud is more widespread at Telstra and perhaps their lack of security measures / systems needs to be exposed to protect the community.

    You would think that Telstra would have more robust security systems in place considering that this appears, by the number of complaints and posts I saw, to be quite prevalent.

    This is what I posted in response to other posts directly naming Telstra.

    Telstra must have a seriously flawed security system with their online purchasing process.
    They delivered a mobile phone to an address unknown without verifying the license number which NSW Police have informed me is false.
    I have supplied them with too much personal identification already and two Stat Declarations.
    I have advised local MPs ; ACORN; Scamwatch ; TIO and Police; Equifax
    I am suffering as a result of Telatra’s lackadaisical attitude to my plight. The onus is on me to prove my identity whis is not in question. Telstra have threatened me with credit action ie placing a default on my credit file and forwarded my personal details to a debt collection agency and I not even a client of Telstra.
    The debt collection agency sent me a threatening letter of demand to my former address.

    The ramifications of having your identity stolen can be huge and at great personal cost.
    I want Telstra to be held accountable for allowing my identity to be stolen and five months of undue stress and wasted time trying to resolve this matter.
    I have provided them with two Statutory Declarations; copy of my passport; NSW Drivers license plus NSW Police case and event number yet they are demanding more photo identification and proof of my whereabouts at time of transaction ie my address even though they refuse to provide me with any details ie dates; time etc. Telstra
    Resolutions Complaint Team have behaved in an intimidating and threatening manner towards me.

    Kind regards

    Deborah Moffitt

    Work email:-

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search