The OAIC’s investigation focused on whether Telstra took reasonable steps to protect customer information from misuse, loss, unauthorised access, modification or disclosure.
In a report published today, the Privacy Commissioner, Timothy Pilgrim, found Telstra breached the following National Privacy Principles (NPP):
- 4.1 — failure to take reasonable steps to ensure the security of the personal information it held
- 4.2 — failure to take reasonable steps to destroy or permanently de-identify the personal information it held
- 2.1 — disclosure of personal information other than for a permitted purpose.
- Clause 4.6.3 of the Telecommunications Consumer Protections Code (TCP Code) which requires telecommunications providers to ensure that the personal information of customers is protected from unauthorised use or disclosure and to have robust procedures in place to that end, and
- An ACMA direction to comply with clause 4.6.3 of the TCP Code. The direction to Comply was given by the ACMA in response to a previous TCP Code breach.
‘This incident is a timely reminder to all organisations that they should prioritise privacy. All entities bound by the Privacy Act must have in place security measures to protect personal information,’ said Privacy Commissioner Timothy Pilgrim.
Following the breach, Telstra agreed to undertake a number of actions, including exiting the software platform on which the incident occurred, establishing a clear policy for central software management, and reviewing contracts with third parties relating to personal information-handling.
In finding Telstra in breach of the Privacy Act, the Privacy Commissioner recommended that Telstra:
- engage an independent third party auditor to certify that Telstra has implemented planned rectifications, and that the certification be provided to the Commissioner by 30 June 2014, and
- review its Document Retention Policy to ensure it meets the requirements of the Australian Privacy Principles, which apply from 12 March 2014.
Telstra has also paid an infringement notice for $10,200 in relation to Telstra’s contravention of the ACMA’s earlier Direction to Comply (which is the amount provided for in the relevant telecommunications legislation).
‘The ACMA welcomes Telstra’s agreement to the Privacy Commissioner’s recommendations,’ said ACMA Chairman Chris Chapman. ‘Telco providers are in a position of trust with respect to their customers’ details and with it comes a weighty responsibility — a fact reflected in the outcomes mandated by the TCP Code.’
‘This incident provides lessons for all organisations — there is no ‘set and forget’ solution to information security and privacy in the digital environment. Organisations need to regularly review and improve security systems to avoid data breaches,’ said Mr Pilgrim.
For more information or to arrange an interview, please contact:
- OAIC — Leila Daniels, Media Manager (02) 9284 9695 and 0407 663 968 or firstname.lastname@example.org.
- ACMA — Emma Rossi, Media Manager, (02) 9334 7719 and 0434 652 063 or email@example.com.
In May 2013, Telstra contacted the ACMA to advise that it had learnt, via a journalist, that the names, phone numbers and addresses of around 15,775 Telstra customers had been available on the internet. The same journalist alerted the OAIC to the matter. The records included the information of 1,257 active silent line customers. Telstra also advised that there were at least 166 unique downloads of these records.
When Telstra discovered the problem it:
- took steps to disable all public access links to the source and to have Google caches cleared to ensure that the data could not be accessed via a Google search
- undertook remediation steps as appropriate
- took steps to contact all affected customers.
Additional OAIC background
The OAIC has published two public reports on previous investigations into Telstra.
- The personal information of approximately 734,000 customers was made publicly available online in December 2011.
- A mailing list error resulted in approximately 220,000 letters with incorrect addresses being mailed out in October 2010.
From 12 March 2014, new privacy laws will introduce a new set of Australian Privacy Principles, a more comprehensive credit reporting system and enhanced powers for the Commissioner. The reforms introduce new enforcement powers and remedies for investigations that the Commissioner commences on their own initiative. The Commissioner will be able to make a determination, accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders which can range from $340,000 for individuals and up to $1.7 million for companies.
Additional ACMA background
On 3 September 2012, the ACMA gave Telstra a direction to comply with clause 4.6.3 of the TCP Code, following an ACMA investigation into an incident identified in December 2011. That incident involved the names and in some cases the addresses of approximately 734,000 Telstra customers, and the usernames and passwords of up to 41,000 of those customers, being found to be publicly available and accessible on the internet during the period from 29 March 2011 to 9 December 2011.
If a provider has been directed to comply with all or part of a code, the ACMA can take action against the provider if it fails to comply with that direction, including by:
- giving a remedial direction;
- issuing an infringement notice;
- accepting an enforceable undertaking; or
- pursuing civil penalties through Federal Court action.