Telstra’s security slip-up was a breach of the Privacy Act
Back in December 2011 a customer discovered the identity details of 734,000 Telstra Australia customers had been exposed to possible identity theft and misuse by being easily accessible through a Google search. The Privacy Commissioner, Timothy Pilgrim immediately stepped in to investigate. After a 6 month-long investigation, Mr Pilgrim and the Australian Communications and Media Authority (ACMA) has found Telstra has breached both the Privacy Act, and the Telecommunications Consumer Protections Code. We look at how this occurred, and what the implications could be for Telstra, and for you and your credit file.
By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.
In the New Year, we reported on this massive privacy issue, which affected more than 700,000 customers, including myself in our post Telstra’s at it again. And this time it may affect YOU. Here is an excerpt from the December 12 media release:
The Sydney Morning Herald reported on Friday a user of the Whirlpool forum stumbled upon the “Telstra bundles request search” page after doing a Google search for a Telstra customer support phone number they were told to contact.
SMH reported the information of any Telstra customer was searchable even by last name, bringing up the customer’s account number, what broadband plan they were on, what other Telstra services they were signed up to and notes associated with the customers’ accounts including in many cases their usernames and passwords.
There were also other details about technician visits, SMS messages sent to private mobile numbers and credit check details.
Telstra has reportedly reset approximately 60,000 customer passwords as a precaution (http://www.theaustralian.com.au/australian-it/telstra-customers-face-password-reset-after-privacy-breach/story-e6frgakx-1226219541766).
Telstra bundle customer, Graham Doessel is one of those potentially at risk.
He also happens to be the CEO of a company dealing in credit repair for people who have been unlawfully blacklisted from borrowing facilities. He says as much as 50% of his clientele who present with credit file errors and inconsistencies are Telco customers, and many of those are Telstra customers.
“This data breach is a crucial example of how errors occur so easily in the Telco industry. Unfortunately they have the potential to severely damage someone’s financial future.”
“Every day we deal with customers who can’t get a home loan, because their credit rating is damaged by improper execution of policies and procedures in the Telco industry,” Mr Doessel, of MyCRA Credit Repairs says.
Mr Doessel is concerned he is amongst those Telstra customers whose personally identifiable information may have been viewed, and copied for purposes of fraud during the time the information was readily available on the internet.
“The issue is about both our possible stolen passwords, and our possible stolen personal details – a huge commodity for fraudsters. What’s to say fraudsters haven’t jumped on the internet while this information has been available and copied it?”
“Personal details are the building blocks for constructing a fake identity. Once someone has fake ID documents, they can take out significant amounts of credit in the victim’s name. Often people don’t find out about it straight away and that can result in defaults from creditors and massive long term credit issues,” he says.
Outcome of the investigation
Mr Pilgrim found in his investigation that a number of internal errors occurred in the lead up to the incident in December 2011.
“I found the privacy breach occurred because of a series of errors revealing significant weaknesses in Telstra’s reporting, monitoring and accountability systems”, Mr Pilgrim said in a statement to the media.
“Of particular concern is that a number of Telstra staff knew about the security issues with the database but did not raise them with management. This incident could have been easily avoided if appropriate planning was undertaken”.
“The failure by Telstra to correctly categorise the database project in its design phase as one involving customer data meant that the database did not receive the appropriate level of protection from the very beginning”.
The Commissioner found Telstra to be in breach of two National Privacy Principles under the Privacy Act 1988:
•National Privacy Principle 2.1 (Use and disclosure)
•National Privacy Principle 4.1 (Data security)
Mr Pilgrim warned businesses of the importance of conducting a Privacy Impact Assessment (or PIA) when commencing new projects.
“Build your privacy in at the beginning, don’t bolt it on as an afterthought. All businesses should conduct a PIA to make sure that potential privacy risks are considered at the start of any project and that risk mitigation strategies are put in place”.
Implications for Telstra
Telstra has committed to a remediation project to introduce significant measures to protect the security of the personal information it holds and prevent unauthorised access and disclosure in the future. The Commissioner closed the investigation after reviewing the remediation plans Telstra has in place.
In ceasing his investigation into the matter, the Commissioner asked Telstra to provide him with a report on the progress of the remediation project by October 2012. He also asked Telstra to provide to him with a report on the completion of the remediation project by April 2013.
No penalties enforced
Mr Pilgrim said The Privacy Act does not give him the power to impose any penalties or seek enforceable undertakings from organisations he has investigated on his own initiative. However, he did say the privacy law reforms that are currently before Parliament – the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 will provide him with additional powers and remedies when conducting such investigations in the future.
The Sydney Morning Herald reported in its article Telstra’s 734,000 account privacy blunder breached multiple laws: regulators that Telstra appears to have escaped financial or other penalties for now, which has angered consumer groups.
“We strongly believe the ACMA needs stronger enforcement powers for the Code to be effective,” said Elise Davidson of the Australian Communications Consumer Action Network.
“The ACMA is currently considering a new draft of the TCP Code but – regardless of what’s in it – without effective enforcement, telecommunication providers can continue to seriously breach their obligations without fear of any fines or sanctions from the regulator.”
And Yet Still More Data Exposed
Even before the deliverance of the Privacy Commissioner’s finding on the account scandal, Telstra has also been embroiled in another data scandal involving the tracking of its customer’s internet data useage. The ABC reports in its article Telstra accused of tracking Next G internet use:
Telstra has been accused of tracking the internet use of its Next G mobile phone users and sending their internet history to a company in the United States.
One of the telco’s customers discovered that when he visited a website using his Next G network in Australia, a server in the United States would visit the same address almost instantly.
Telstra says it is collecting the information for use in a new internet filter product, but internet users are outraged and are demanding the Australian Privacy Commissioner investigate.
For an update to how this particular breach occurred, and what has been discovered so far, check out the IT News article Telstra: Oh what a tangled web we weave written yesterday.
Perhaps not Telstra’s finest hour on Privacy Issues, nor Australia’s finest hour on Privacy Law.
How To Protect Your Credit File After a Data Breach
Whilst there have been no official reports of any identity theft cases from this particular security breach, we look at what you should if you find yourself in this situation in the future, with any company that holds your personal information.
1. Change passwords. Even if Telstra hasn’t advised you otherwise, go in and change your password. If you have that same password for unrelated accounts, change that as well.
2. Check your credit file. Obtain a free copy of your credit file and check there is nothing suspicious already present on your credit file.
If you see suspicious activity on your credit file, or your credit accounts….
3. Alert your Creditors you may be at risk of identity theft. This will allow them to ‘flag’ your accounts and halt any suspicious activity.
4. Alert credit reporting agencies. They can put an alert on your credit file which informs you of any changes to contact details, or suspicious credit enquiries you may not have initiated.
5. Consider making a complaint to the Privacy Commissioner. If you firmly believe you have been a victim of identity theft through a company data breach or breach of personal information, you should visit the Privacy Commissioner’s website to determine if you have a valid complaint to make, and how to go about making it. http://www.privacy.gov.au/complaints.
6. If your credit file has been damaged, get help to repair it. If you have been exposed to identity theft, and you have credit listings which should not be there, contact a professional credit repairer, who can talk to you about clearing your bad credit and recovering your good name.
Image: Stuart Miles / www.FreeDigitalPhotos.net