Telstra rapped for leaking 16,000 customers’ details

Australian operator Telstra has been penalised by the Office of the Australian Information Commissioner (OAIC) and telecoms regulator the Australian Communications and Media Authority (ACMA) for breaching privacy laws.

On Tuesday Telstra was found to have made the personal details of almost 16,000 customers accessible via the internet between February 2012 and May 2013 after several spreadsheets containing customer data dating back to 2009 was found through Google Search.

The breach, Telstra’s second in recent years, raises questions about the company’s approach to security and vendor-supplied software solutions.

Specifically, Telstra has undertaken to cease use of the Oracle Right Now SaaS CRM system, although it is not clear whether this was a voluntary decision or a requirement of the Australian regulatory authorities.

“Following the breach, Telstra agreed to undertake a number of actions, including exiting the software platform on which the incident occurred, establishing a clear policy for central software management, and reviewing contracts with third parties relating to personal information-handling,” ran a statement from the OAIC.

According to the OAIC, Telstra contacted regulator ACMA in May 2013 after a journalist had told the firm that the names, phone numbers and addresses of approximately 15,775 of its customers had been made accessible on the internet.

The OAIC undertook an investigation to determine whether Telstra had taken reasonable steps to protect its customers’ data, and found that it did take steps to disable all public access links to the source, and to have Google caches cleared to ensure that the data could not be accessed via a Google search once the breach had been discovered, and contacted impacted customers.

However, the OAIC found that the operator had failed to take “reasonable steps” to ensure the security of the personal information it held; failed to destroy or permanently de-identify that information; and that it disclosed personal information for a reason other than its permitted purpose.

The investigation found Telstra requested an unnamed third party provider to extend an access control to enable authorised partners to access Telstra’s retail information via the platform, which according to the regulator “inadvertently turned off the access control, making the source files publicly accessible online.”

The third party data management firm also failed to prevent Google from caching and indexing the private information by incorrectly configuring the robots.txt file.

“The Commissioner found that this indicated a failure by Telstra (or the third party provider on Telstra’s behalf) to take reasonable steps to monitor the security of personal information held by Telstra,” the investigative report reads.

The operator was also fined AU$10,200 for failing to comply with a previous ACMA decision on a data breach. In a December 2011  incident Telstra was found to have leaked the names and in some cases the addresses of approximately 734,000 Telstra customers, along with the usernames and passwords of up to 41,000 of those customers online. The details were found to be publicly available and accessible on the internet between March 2011 and December 2011.

This breach was also related to Telstra’s use of Oracle RightNow but this does not mean the system is flawed, said Laurent Lachal, senior analyst within Ovum’s software group.

“There is nothing to suggest Oracle’s software is inherently unsafe. Nearly half of the world runs on Oracle, and like most security flaws with Oracle users would have been up in arms about this from the outset,” said  Lachal.

“The sense that I get is that the ball really is more in Telstra’s court and the data management provider than Oracle,” he said, echoing the findings of the Privacy Commissioner’s report.

“Following the 2011 breach, Telstra implemented an interim process using a ‘Security Approval mailbox’, to ensure that any changes to the platform would be reviewed by Telstra’s security team in order to mitigate the known risks. However, this process was not followed. Information from Telstra indicated that this was a key contributing factor to the data breach,” the report reads.

The operator has since migrated to an in-house CRM platform. Oracle declined to comment on the findings of the report.

The Privacy Commissioner also recommended that Telstra engage an independent third party auditor to validate that the operator has made the changes and that certification of this is provided to the Commissioner by the end of June this year.

It has also told Telstra to review its document retention policy and ensure it meets the requirements of the Australian Privacy Principles, which take effect 12 March 2014.

“This incident provides lessons for all organisations — there is no ‘set and forget’ solution to information security and privacy in the digital environment. Organisations need to regularly review and improve security systems to avoid data breaches,” said Privacy Commissioner Timothy Pilgrim.

By Jonathan Brandon and Dawinder Sahota

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.