MEDIA RELEASE: Telstra breaches Privacy Act
29 June 2012
The Australian Privacy Commissioner, Timothy Pilgrim has found Telstra in breach of the Privacy Act after 734,000 Telstra customers' details were made available online in December 2011.
The investigation findings were released today as the Australian Communications and Media Authority also found Telstra breached the Telecommunications Consumer Protections Code.
A database containing the details of customers who had a range of Telstra services was made accessible via a link on the internet. The database contained information such as customer names, phone numbers, order numbers and in a very limited number of cases dates of birth, drivers licence numbers and credit card numbers.
Mr Pilgrim released his investigation report today finding that a number of internal errors occurred in the lead up to the incident in December 2011.
"I found the privacy breach occurred because of a series of errors revealing significant weaknesses in Telstra's reporting, monitoring and accountability systems", Mr Pilgrim said.
"Of particular concern is that a number of Telstra staff knew about the security issues with the database but did not raise them with management. This incident could have been easily avoided if appropriate planning was undertaken".
"The failure by Telstra to correctly categorise the database project in its design phase as one involving customer data meant that the database did not receive the appropriate level of protection from the very beginning".
The Commissioner found Telstra to be in breach of two National Privacy Principles under the Privacy Act 1988:
- National Privacy Principle 2.1 (Use and disclosure)
- National Privacy Principle 4.1 (Data security)
Mr Pilgrim warned businesses of the importance of conducting a Privacy Impact Assessment (or PIA) when commencing new projects.
"Build your privacy in at the beginning, don't bolt it on as an afterthought. All businesses should conduct a PIA to make sure that potential privacy risks are considered at the start of any project and that risk mitigation strategies are put in place".
Telstra has committed to a remediation project to introduce significant measures to protect the security of the personal information it holds and prevent unauthorised access and disclosure in the future. The Commissioner closed the investigation after reviewing the remediation plans Telstra has in place.
In ceasing his investigation into the matter, the Commissioner asked Telstra to provide him with a report on the progress of the remediation project by October 2012. He also asked Telstra to provide to him with a report on the completion of the remediation project by April 2013.
"The Privacy Act does not give me the power to impose any penalties or seek enforceable undertakings from organisations I have investigated on my own initiative. However, the privacy law reforms that are currently before Parliament will provide me with additional powers and remedies when conducting such investigations."
The full investigation report can be accessed here: http://www.oaic.gov.au/publications/reports.html#omi_reports
For more information on Privacy Impact Assessments: http://www.oaic.gov.au/publications/guidelines/Privacy_Impact_Assessment_Guide.html
Media contact: Ms Leila Daniels 0407 663 968 email@example.com