29 June 2012
Telstra disclosure breaches TCP Code
On 9 December 2011, Telstra advised the Australian Communications and Media Authority that the names and in some cases addresses of up to 734,000 Telstra customers had been accessible via a link available on the internet. Usernames and passwords of up to 41,000 of these Telstra customers had also been accessible.
‘Under clause 6.8.1 of the Telecommunications Consumer Protections Code (TCP Code) a Carriage Service Provider must protect the privacy of each customer’s billing and related personal information,’ said Acting ACMA Chairman, Richard Bean.
The Australian Privacy Commissioner also found that Telstra breached the Privacy Act 1988, for failing to protect the personal information of users.
Telstra explained that they used a web-based customer management tool called the Visibility Tool to track orders for bundled products. Personal information such as usernames, passwords and addresses, and in some cases drivers licence numbers and dates of birth, were publicly accessible on the Visibility Tool from 29 March 2011 to 9 December 2011. The number of customers in the database increased from March to December, peaking at 734,000 customers by December 2011.
‘We are most concerned about the length of time–more than eight months–during which a significant number of Telstra customers’ personal information was publicly available and accessible,’ Richard Bean added.
‘Clearly there were gaps in Telstra’s processes to identify and act on the matter prior to media reports of the disclosure.’
Telstra has taken steps to remedy its processes and the ACMA is considering those steps and its formal enforcement response.
Where the ACMA finds a TCP Code breach, it can issue the service provider involved a direction to comply with the code or issue a formal warning. However, it cannot fine or otherwise penalise the provider.
For more information or to arrange an interview, please contact: Emma Rossi, (02) 9334 7719 and 0434 652 063 or firstname.lastname@example.org.