Last year a Fairfax journalist discovered that the telco had published the names, phone numbers and addresses of customers. The journalist alerted the telco to the breach, and also informed the – OAIC – Office of the Australian Information Commissioner.
The OAIC launched a year-long investigation with the Australian Communications and Media Authority – ACMA – and the agencies have now handed down their reports.
They have found Telstra made the information of 15,775 customers available for 15 months during 2012 and 2013. The information included more than 1,257 customers with silent line numbers, and related to customer data from 2009 and earlier. There were at least 166 unique downloads of the records ::::
The OAIC’s investigation focused on whether Telstra took reasonable steps to protect customer information from misuse, loss, unauthorised access, modification or disclosure.
Privacy Commissioner Timothy Pilgrim found Telstra failed to take reasonable steps to ensure the security of the data it held.
“This incident is a timely reminder to all organisations that they should prioritise privacy,” Mr Pilgrim said in a statement. He says the information could be easily found by anyone online. “It was accessible by way of a Google search that took them to some source material, which was some spreadsheets containing the personal information of these customers.”
Following the breach, Telstra, which says it has now fixed the problem, agreed to actions including exiting the software platform on which the breach occurred. It also vowed to establish a clear policy for central software management, and review contracts with third parties relating to personal information handling.
In its report, the ACMA found Telstra’s actions contravened the Telecommunications Consumer Protections Code.
The code requires telcos to ensure the personal information of customers is protected from unauthorised use or disclosure and to have robust procedures in place. The ACMA noted that Telstra had failed to comply with directions over a previous code breach, and fined the telco $10,200.
“The ACMA welcomes Telstra’s agreement to the Privacy Commissioner’s recommendations,” ACMA chairman Chris Chapman said. “Telco providers are in a position of trust with respect to their customers’ details and with it comes a weighty responsibility – a fact reflected in the outcomes mandated by the TCP Code.”
The OAIC has published two public reports on previous investigations into Telstra:
- The personal information of approximately 734,000 customers was made publicly available online in December 2011.
- A mailing list error resulted in approximately 220,000 letters with incorrect addresses being mailed out in October 2010.
From 12 March 2014, new privacy laws will introduce a new set of Australian Privacy Principles, a more comprehensive credit reporting system and enhanced powers for the Commissioner. The reforms introduce new enforcement powers and remedies for investigations that the Commissioner commences on their own initiative. The Commissioner will be able to make a determination, accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders which can range from $340,000 for individuals and up to $1.7 million for companies.
The Privacy Commissioner, Timothy Pilgrim, found Telstra breached the following National Privacy Principles:
4.1—failure to take reasonable steps to ensure the security of the personal information it held
4.2—failure to take reasonable steps to destroy or permanently de-identify the personal information it held
2.1—disclosure of personal information other than for a permitted purpose.
In its report ACMA found Telstra contravened:
Clause 4.6.3 of the Telecommunications Consumer Protections Code – TCP Code – which requires telecommunications providers to ensure that the personal information of customers is protected from unauthorised use or disclosure and to have robust procedures in place to that end.
‘This incident is a timely reminder to all organisations that they should prioritise privacy. All entities bound by the Privacy Act must have in place security measures to protect personal information,’ said Privacy Commissioner Timothy Pilgrim.
Following the breach, Telstra agreed to undertake a number of actions, including exiting the software platform on which the incident occurred, establishing a clear policy for central software management, and reviewing contracts with third parties relating to personal information-handling.
In finding Telstra in breach of the Privacy Act, the Privacy Commissioner recommended that Telstra:
Engage an independent third party auditor to certify that Telstra has implemented planned rectifications, and that the certification be provided to the Commissioner by 30 June 2014, and review its Document Retention Policy to ensure it meets the requirements of the Australian Privacy Principles, which apply from 12 March 2014.
Telstra has also paid an infringement notice for $10,200 in relation to Telstra’s contravention of the ACMA’s earlier direction to comply (which is the amount provided for in the relevant telecommunications legislation).
More Than 40,000 Government Data Requests in 6 months, Not Including ‘National Security’ Requests
According to Australia’s largest telco, it received more than 40,000 requests for customer information from Australian government agencies in the second half of 2013, not counting national security requests.
Last week the company released its first transparency report showing how it’s balanced requirements to protect customer privacy against national security and law enforcement requests by the Australian government. The report covers the six months leading up to 31 December last year.
Telstra said the 40,000 figure includes requests from law enforcement, emergency services and regulatory agencies, but does not include “national security related requests.”
Telstra explained the omission of national security requests as the telco’s interpretation of the law.
“Our understanding of the Attorney-General’s Department’s position on requests by national security agencies is that reporting on these figures is prohibited under the Telecommunications(Interception and Access) Act 1979,” a statement from the telco said.
Telstra said it is not allowed to specify the names of the individual agencies that made the 40,000 requests
Of the 40,000 requests disclosed, the vast majority (36,053) related to law enforcement seeking customer information including names and addresses; carriage service records including calling, SMS and Internet session data; and pre-warrant checks confirming telecom services of interest are still active, Telstra said.
Of the remainder, 2871 related to “life threatening situations” and triple-zero emergency calls, 1450 were for warrants for interception or access to stored communications and 270 were court orders, Telstra said.
“We only disclose customer information in accordance with the law,” Tekstra chief risk officer Kate Hughes wrote on the Telstra blog. “We assess any request for information we receive from government agencies to make sure it complies with the law.”
Telstra said Australian law prevents it from acting on any direct requests from overseas authorities for information on Australian customers. However, Telstra operations in other countries must comply with the laws of the land, it said.
“Across all the countries in which Telstra Global operates, we received less than 100 requests for customer information in the six months to 31 December 2013,” it said.
RELATED! ‘The Future of Internet Freedom’ According to Google
In the op-ed, the duo – Eric Schmidt and Jared Cohen – detail the outline the means to overcome internet censorship in repressive communities.
Schmidt, the executive chairman of Google, Cohen, Director of Google Ideas, assert that the coming decade will see the internet increase by five-billion users from around the globe.
The Googlers surmise that the population growth will come primarily from places like Russia, Vietnam, Pakistan and Iran where www. access is heavily censored, another dystopian divination? :: Read the full article »»»»
RELATED! Google Says Don’t Be A Glasshole
New technology often means a bit of a fumble when it comes to manners, remember the intro of the mobile phone – geez your old – where is it ok to use your phone, dealing with loud talkers and most recently sexting, the rules governing mobile phones have evolved very very slowly.
It’s taken more than 2 decades to come to terms with an accepted set of social do’s and don’t for the meek mobile. So what’s the etiquette for using Google Glass in public?
The do’s and don’ts for new technologies aren’t always clear, indeed many are still arguing over using mobiles in restaurants.
So the everwise behemoth that is Google, has stepped up, providing some basic tips on using it’s latest, greatest device :: Read the full article »»»»
UNRELATED! NSFW: Phishing With Cam Girls: Italian Gamers Stung by Faux Nudity Offers
Those clever boffins at Symantec have dug up a slick new phishing scam aimed squarely at over enthusiastic Italian gamers. The scam page – hosted on a popular free web hosting site – was cleverly disguised to look like a popular gaming brand, the brand was – according to the scam page – introducing a new service that would allow its users to connect with ubersexy cam-girls.
Luring gamers with super-cute girl pix and promises of girls ready and willing to perform nude webcam shows for a small credit card fee, even luring some with the offer of free shows doesn’t seem to be a hardship, gamers tend to be lost in another-world..
According to Symantec blogger, Mathew Manyara, the – scam – gaming brand had prepared a list of users who were willing to perform nude webcam shows. The phishing site claimed that by entering login credentials one could receive through email the names of the users willing to perform and be able to add them to their contact list.
The phishing site explained that login credentials were required because the brand decided could not disclose the names of performers outside the network to maintain the girls privacy. To gain the users’ confidence, phishers assured gullible gamers that there was no scam involved in their offer and verified each performer did perform nude sex acts in the webcam shows :: Read the full article »»»»
RELATED! Googles Ghost-town Tours, Fukushima Nuclear Wastelands via Googlemaps/Streetview
Internet behemoth Google has launched a virtual tour through the nuclear wasteland surrounding Japan’s crippled Fukushima nuclear plant.
Virtual tourists can now take an eery tour through the deserted streets of Namie, one of the towns abandoned after the Fukushima meltdowns spewed radioactive fallout across a large area.
The site reveals streets overgrown with weeds, and time appears to have stood still since Namie’s entire population of 21,000 people was evacuated two years ago.
Fifty percent of the town on the Pacific coast sits within the 20-kilometre evacuation zone around the nuclear plant, which was crippled by Japan’s 2011 earthquake and tsunami :: Read the full article »»»»