The personal information of more than 730,000 customers of Telstra was made publicly accessible online for eight months during 2011, reported the Australian Media and Communications Authority (ACMA) recently.
ACMA also said that the Australian Privacy Commissioner found that Telstra has “breached the Privacy Act 1988, for failing to protect the personal information of users.”
Despite these breaches, the ACMA said that it can only issue to Telstra a direction to comply or a formal warning.
The ACMA reported that it “cannot fine or otherwise penalise the provider”.
Here is the complete ACMA news report:
Telstra disclosure breaches TCP Code
29 June 2012 – Telstra breached its customer privacy obligations when personal information about 734,000 of its customers was made accessible online during 2011.
On 9 December 2011, Telstra advised the Australian Communications and Media Authority that the names and in some cases addresses of up to 734,000 Telstra customers had been accessible via a link available on the internet. Usernames and passwords of up to 41,000 of these Telstra customers had also been accessible.
‘Under clause 6.8.1 of the Telecommunications Consumer Protections Code (TCP Code) a Carriage Service Provider must protect the privacy of each customer’s billing and related personal information,’ said Acting ACMA Chairman, Richard Bean.
The Australian Privacy Commissioner also found that Telstra breached the Privacy Act 1988, for failing to protect the personal information of users.
Telstra explained that they used a web-based customer management tool called the Visibility Tool to track orders for bundled products. Personal information such as usernames, passwords and addresses, and in some cases drivers licence numbers and dates of birth, were publicly accessible on the Visibility Tool from 29 March 2011 to 9 December 2011. The number of customers in the database increased from March to December, peaking at 734,000 customers by December 2011.
‘We are most concerned about the length of time–more than eight months–during which a significant number of Telstra customers’ personal information was publicly available and accessible,’ Richard Bean added.
‘Clearly there were gaps in Telstra’s processes to identify and act on the matter prior to media reports of the disclosure.’
Telstra has taken steps to remedy its processes and the ACMA is considering those steps and its formal enforcement response.
Where the ACMA finds a TCP Code breach, it can issue the service provider involved a direction to comply with the code or issue a formal warning. However, it cannot fine or otherwise penalise the provider. // ACMA