Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

AAPT breached Privacy Act

The Australian Privacy Commissioner, Timothy Pilgrim, has found AAPT Limited breached the Privacy Act for failing to adequately protect customer data from unauthorised access. The Commissioner also found that AAPT had failed to comply with its obligation to destroy or permanently de-identify information no longer in use.

In July 2012, AAPT customer data held on servers hosted by IT contractor Melbourne IT, was hacked and published online.

‘While I appreciate the speed and the way in which AAPT responded to the incident, it highlights the importance of having appropriate security systems and contractual arrangements in place to avoid a breach such as this,’ Mr Pilgrim said.

‘Organisations should ensure that contracts with IT suppliers are clear about which party has responsibility for identifying and addressing data security issues.’

‘More should have been done to appropriately manage and protect the information involved. Using older versions of applications and software when newer versions are available is a risk that needs to be actively managed, particularly when personal information is involved.’

The compromised server held a series of websites and databases that included personal information about AAPT business customers used to verify the identity of customers and provide a quoting and billing system for AAPT sales staff. The personal information included information collected for the purpose of obtaining credit reports of AAPT business customers and information used for the purpose of transferring telephone numbers from other telecommunications carriers.

‘It was also concerning that the compromised servers contained old customer information that was no longer needed by AAPT,’ Mr Pilgrim said.

‘Holding onto old personal information that is no longer needed does not comply with the Privacy Act and organisations which do so are needlessly placing themselves in a position of risk.’

The Commissioner made a number of recommendations to AAPT including implementing regular training for staff in relation to data retention and destruction, ensuring all IT applications are subject to vulnerability assessment and testing, as well as ensuring effective lifecycle management, and conducting regular audits of AAPT’s IT security framework. AAPT has implemented these recommendations.

Current privacy laws do not give the Commissioner the power to impose any penalties or seek enforceable undertakings from organisations investigated on his own initiative.

‘New privacy laws in force from 12 March 2014 will give me additional powers and remedies when conducting such investigations.  From that date I will be able to obtain enforceable undertakings from organisations and, in the case of serious or repeated breaches seek civil penalties,’ Mr Pilgrim said.

For interview requests please call:  Ms Leila Daniels      0407 663 968     media@oaic.gov.au

Background notes for Editors

  • The full investigation report is available at: http://www.oaic.gov.au/privacy/applying-privacy-law/privacy-omi-reports/aapt-and-melbourne-it-own-motion-investigation-report
  • The investigation focused on whether AAPT and Melbourne IT took reasonable steps to protect customer information from misuse and loss and from unauthorised access, modification or disclosure.
  • Under National Privacy Principle (NPP) 4.1, organisations must take reasonable steps to protect the information they hold from misuse and loss and from unauthorised access, modification or disclosure.
  • An organisation has obligations under NPP 4.1 if it has physical possession of the data or the right or power to deal with the information — even if it does not physically possess or own the medium on which the information is stored.
  • Organisations should ensure that contracts with IT suppliers are clear about which party has responsibility for identifying and addressing data security issues.
  • Under NPP 4.2, if an organisation no longer needs personal information for any purpose under NPP 2, then the organisation must take reasonable steps to destroy or permanently de-identify it. To comply with this obligation, an organisation must develop systems or procedures to identify information the organisation no longer needs and a process for how the destruction or de-identification of the information will occur. It must also ensure staff are trained in those systems or procedures.
  • From 12 March 2014, new privacy laws will introduce a new set of Australian Privacy Principles, a more comprehensive credit reporting system and enhanced powers for the Commissioner. The reforms introduce new enforcement powers and remedies for investigations that the Commissioner commences on their own initiative. The Commissioner will be able to make a determination, accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders which can range from $340,000 for individuals and up to $1.7 million for companies.   
  • In April 2013, the Australian Communications and Media Authority (ACMA) formally warned AAPT Limited, following an investigation under the Telecommunications Consumer Protections Code (TCP Code).