Telstra and privacy breaches

July 10, 2012 |

Telstra and privacy breaches goes together like Ginger and Fred and Bacon and Eggs.

The Australian ran a story, Telstra rings up a new privacy bungle about the privacy breach which while the Age in ‘Customer privacy is not negotiable’: Telstra boss admits leaking customer data shows that the problem is not a fleeting and passing issue.  There may be a cultural problem.

The article provides:

Telstra CEO David Thodey has told staff “customer privacy is not negotiable” and that the telco’s customers were “entitled” to feel as though the company had “broken their trust” following a recently privacy scandal.

In an email to staff this week, first published on broadband forum Whirlpool and now verified by Telstra’s media team as being genuine, Mr Thodey told staff that further breaches at the telco “must not happen again”.

Mr Thodey warned breaches were affecting the telco’s reputation and said staff should inform their manager “as a matter of urgency” should they have concerns with anything that threatens the privacy of Telstra’s customers.

“Some of our customers may feel we have broken their trust, and, frankly, they are entitled to feel that way. The hard reality is it will take months of hard work to win back that trust,” he said.


Mr Thodey was referring to the fact tech-savvy customers recently uncovered the telco sending URLs its Next G customers visited to a third party for a new web filtering product. Telstra claimed most of the URLs were sanitised of personal information before being sent, but has since admitted that some were not.

“We stopped the program immediately, as this was the right thing to do,” Mr Thodey said.

He went on to explain that it was “not hard to see why” the Privacy Commissioner told The Australian last Friday that he was now on the lookout for systematic privacy weaknesses in Telstra’s operational culture.

The Privacy Commissioner made the comment in light of the fact that Telstra had been involved in a number of privacy breaches in recent years, the most recent in December, which saw customer information readily available online without any system in place to prevent people outside the telco from accessing it.

In May Telstra IT security specialist, Scott McIntyre, revealed the privacy breach was the result of “one little oops” – but the stuff-up had been a “wonderful learning experience” for the telco. Last month The ACMA and Privacy Commissioner said Telstra broke multiple laws in relation to the breach but did not fine it.

“These incidents and investigations create an impression that Telstra does not care enough about the privacy of our customers,” Mr Thodey said. “Not only that, they undermine the great work we have done to improve customer satisfaction and change the way our customers talk about us.

“Of course, the truth is we care deeply about customer privacy.

“That’s why I want to remind everyone that privacy is not an aspiration at Telstra – it is an essential requirement and our license to operate.

“Privacy at Telstra is everyone’s responsibility. We have to do better.”

The Privacy Commissioner issued a press release of his findings as:

The Australian Privacy Commissioner, Timothy Pilgrim has found Telstra in breach of the Privacy Act after 734,000 Telstra customers’ details were made available online in December 2011.

The investigation findings were released today as the Australian Communications and Media Authority also found Telstra breached the Telecommunications Consumer Protections Code.

A database containing the details of customers who had a range of Telstra services was made accessible via a link on the internet. The database contained information such as customer names, phone numbers, order numbers and in a very limited number of cases dates of birth, drivers licence numbers and credit card numbers.

Mr Pilgrim released his investigation report today finding that a number of internal errors occurred in the lead up to the incident in December 2011.

“I found the privacy breach occurred because of a series of errors revealing significant weaknesses in Telstra’s reporting, monitoring and accountability systems”, Mr Pilgrim said.

“Of particular concern is that a number of Telstra staff knew about the security issues with the database but did not raise them with management. This incident could have been easily avoided if appropriate planning was undertaken”.

“The failure by Telstra to correctly categorise the database project in its design phase as one involving customer data meant that the database did not receive the appropriate level of protection from the very beginning”.

The Commissioner found Telstra to be in breach of two National Privacy Principles under the Privacy Act 1988:

  • National Privacy Principle 2.1 (Use and disclosure)
  • National Privacy Principle 4.1 (Data security)

Mr Pilgrim warned businesses of the importance of conducting a Privacy Impact Assessment (or PIA) when commencing new projects.

“Build your privacy in at the beginning, don’t bolt it on as an afterthought. All businesses should conduct a PIA to make sure that potential privacy risks are considered at the start of any project and that risk mitigation strategies are put in place”.

Telstra has committed to a remediation project to introduce significant measures to protect the security of the personal information it holds and prevent unauthorised access and disclosure in the future. The Commissioner closed the investigation after reviewing the remediation plans Telstra has in place.

In ceasing his investigation into the matter, the Commissioner asked Telstra to provide him with a report on the progress of the remediation project by October 2012. He also asked Telstra to provide to him with a report on the completion of the remediation project by April 2013.

“The Privacy Act does not give me the power to impose any penalties or seek enforceable undertakings from organisations I have investigated on my own initiative. However, the privacy law reforms that are currently before Parliament will provide me with additional powers and remedies when conducting such investigations.”

Leave a Reply