ACMA and Office of the Information Commissioner find Telstra breached the law
March 11, 2014 |
Today the Privacy Commissioner found that Telstra breached the National Privacy Principles 4.1, 4.2 and 2.1 arising out of the leak of personal information of 15,775 customers. The Privacy Commissioner’s finding is found here. The ACMI also found Telstra breached the Telecommunications Consumer Protections Code. It’s finding is found here.
The reportage has been long and loud. The Age report is found here at Telstra breaches privacy of thousands of customers, the ABC with Telstra fined after breaching privacy of 15,775 customers and itnews with Telstra breached Privacy Act by exposing user data with the Australian’s Telstra leak breached privacy law: reports.
The Privacy Commissioner’s decision, absent footnotes, provides:
Overview
On 24 May 2013, the Australian Privacy Commissioner (the Commissioner) opened an own motion investigation into Telstra Corporation Limited (Telstra). This was in response to media allegations that personal information of Telstra customers was accessible online, which Telstra confirmed.
The Commissioner’s investigation focused on whether Telstra took reasonable steps to protect customer information from misuse, loss, unauthorised access, modification or disclosure.
After considering the facts of the case, submissions from Telstra and the relevant provisions of the Privacy Act 1988 (Cth) (Privacy Act), the Commissioner came to the view that Telstra had breached the Privacy Act, by failing to take reasonable steps to secure personal information it held. The Commissioner also found that Telstra had unlawfully disclosed personal information.
The Australian Communications and Media Authority (the ACMA) also carried out an investigation into the incident in relation to Telstra’s compliance with clause 4.6.3 of the Telecommunications Consumer Protections Code C628:2012 (the Code). The ACMA found that Telstra contravened clause 4.6.3 of the Code by failing to protect the privacy of customers’ personal information. The ACMA also found that Telstra’s conduct contravened the direction given to Telstra by the ACMA on 3 September 2012 under subsection 121(1) of the Telecommunications Act 1997. The Office of the Australian Information Commissioner (OAIC) and the ACMA communicated regarding their respective investigations.
Background
On 15 May 2013, the Commissioner received information that spreadsheet files containing personal information about Telstra customers (the source files) were publicly accessible online (the data breach). Telstra was also notified of the data breach on 15 May 2013 and took immediate steps to respond to the breach.
The following events led to the data breach:
- source files were hosted on the platform that was the subject of the data breach (platform) by a third party service provider (third party provider) on behalf of Telstra
- Telstra requested its third party provider to extend an access control to enable authorised partners to access Telstra’s retail information via the platform
- the third party provider deployed the requested solution on 24 February 2012; this inadvertently turned off the access control, making the source files publicly accessible online
- Google indexed the source files on and from 23 June 2012, making the source files discoverable via Google search between 23 June 2012 and 15 May 2013, and
- the source files were discovered and accessed by an internet user who conducted a Google search for ‘Telstra’ and two other specific search criteria; that individual alerted the media.
The data breach resulted in the personal information of approximately 15,775 Telstra customers being compromised, including full names, addresses and phone numbers. This included 1,257 customer accounts with active silent line services. Through its internal investigation, Telstra identified that there had been at least 166 unique downloads of the source files.
Personal information held on the platform was the subject of a previous data breach by Telstra in December 2011, where the personal information of approximately 734,000 customers was made publicly available online (the 2011 breach).
At the time of the data breach, Telstra was taking remedial steps in response to the 2011 breach.
Relevant provisions of the Privacy Act
Organisations covered by the Privacy Act must comply with ten National Privacy Principles (NPPs) contained in Schedule 3 to the Act. The NPPs apply to the handling of ‘personal information’ which the Privacy Act defines as:
information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
The Privacy Act applies to all private sector organisations with an annual turnover of more than $3 million and some small businesses. Telstra is subject to the Privacy Act and the NPPs.
NPP 4 (Data security) and NPP 2 (Use and disclosure) are the Privacy Act provisions relevant to this data breach. In particular:
- NPP 4.1 requires organisations to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure
- NPP 4.2 states that, if an organisation no longer needs personal information for any purpose under NPP 2, then the organisation must take reasonable steps to destroy or permanently de-identify it
- NPP 2.1 provides that an organisation may only use or disclose personal information for the primary purpose of collection, unless an exception applies.
Findings
Security of personal information (NPP 4.1)
In assessing whether Telstra took reasonable steps to comply with NPP 4.1, the Commissioner considered information from Telstra about the security safeguards in place relating to the platform prior to the data breach, and what steps would have been reasonable in the circumstances to protect the personal information held. This included considering the nature of the personal information, Telstra’s risk environment, implementation of security processes, website configuration, vulnerability testing and monitoring, and industry practice. The Commissioner also had regard to the guidance set out in the OAIC’s Guide to information security.
Nature of personal information
Telstra stated that it considered the data breach ‘low risk from a privacy perspective’ because, among other things, the information available was limited to a customer’s name, phone number and address.
However, the Commissioner noted that a breach of this type of personal information for the 1,257 Telstra customers with silent line services was not low risk. Further, the Commissioner noted that varying risk levels may require an entity to take varying security precautions in order to meet the requirements of NPP 4.1.
Risk environment
At the time of the data breach, Telstra was undertaking a remediation program in response to the 2011 breach involving the platform. The remediation program included decommissioning the third-party provided platform to an internal solution and remedying deficiencies in Telstra’s data management and security governance framework.
In this regard, the Commissioner found that Telstra was operating in a heightened risk environment, and that Telstra was required to take steps that were reasonable in light of that risk environment.
Implementation of security processes
Following the 2011 breach, Telstra implemented an interim process using a ‘Security Approval mailbox’, to ensure that any changes to the platform would be reviewed by Telstra’s security team in order to mitigate the known risks. However, this process was not followed. Information from Telstra indicated that this was a key contributing factor to the data breach.
Web configuration
The Commissioner found the indexing of personal information by Google indicated that Telstra (or the third party provider, on Telstra’s behalf) did not effectively configure its website to request search robots such as Googlebot (via the robots.txt file) not to index, archive or cache the data on parts of the website not intended to be publicly accessible. Correctly implementing the robots.txt command would have significantly limited the discoverability of the compromised personal information, and may have prevented access by unauthorised persons.
Vulnerability testing and monitoring
Compliance with NPP 4.1 requires entities to take reasonable steps to secure personal information, which generally includes implementing clear policies and procedures to maintain the security of personal information, such as establishing:
- the frequency at which testing will be conducted, given the nature of the personal information held
- who is responsible for conducting testing (for example the entity who holds the data or a third party service provider who deals with the data on the entity’s behalf)
- what sort of testing may be suitable, given the nature of the personal information held and the way that information is stored and processed, and
- if testing identifies weaknesses, how this will be reported and addressed.
During the investigation, Telstra indicated that it plans to implement certain strategies that may include privacy policies and procedures (see ‘Rectification’ below). However, Telstra also stated that once a particular access control is implemented in a secure state, there is no need to undertake on-going testing.
The Commissioner disagreed on the basis that there is no ‘set and forget’ solution to security and privacy in the digital environment. As network and other vulnerabilities arise, and as programs and platforms are amended or updated, what is secure at a particular point in time can become subject to a vulnerability at a later date. The Commissioner also noted that routine testing of website security and access control settings may be a reasonable security step as required under NPP 4.1.
Unknown to Telstra, the source files remained accessible between February 2012 and the date of the data breach in May 2013. The Commissioner found that this indicated a failure by Telstra (or the third party provider on Telstra’s behalf) to take reasonable steps to monitor the security of personal information held by Telstra. Telstra asserted that ‘the duration of potential accessibility [was] an irrelevant consideration in assessing whether or not [Telstra] took reasonable steps’ to secure personal information, as NPP 4.1 makes no reference to duration.
The Commissioner considered duration of potential accessibility to be a relevant consideration. This is particularly the case in the networked digital environment, where accessible data is easily copied, transferred and disseminated. While personal information is accessible, there continues to be a risk that it will be accessed. The Commissioner considered that where personal information is inadvertently or mistakenly made accessible to the public, it will generally be a reasonable security step to limit the duration of that accessibility as much as possible.
In response to the data breach, Telstra established a Security Exploration Team tasked with proactively searching for any Telstra customer data that may be accessible publicly or through search robots (see ‘Rectification’ below). The Commissioner noted that if such processes had been in place prior to the data breach, they may have detected the access control failure and the incorrect implementation of the ‘robots.txt’ file. This would have enabled Telstra to prevent or limit the impact of the data breach.
Industry practice
In relation to Software as a Service (SaaS) testing, Telstra told the OAIC that it complied with industry practice.
The Commissioner noted that adherence to industry practice is not, in of itself, an alternative to an entity meeting its regulatory and legal obligations. If an entity engages in what it considers to be industry practice, and that practice falls short of the requirements of the Privacy Act, the Commissioner may consider that entity non-compliant.
NPP 4.1 conclusion — whether reasonable steps were taken to secure the personal information
The Commissioner found that Telstra had:
- made personal information publicly accessible online, and
- failed to properly configure its website (via the robots.txt file) to prevent the unwanted indexation of content by search robots including Googlebot.
Once the source files were made publicly accessible online, this resulted in Google indexing the source files allowing greater discoverability. The Commissioner determined that the source files were accessible for 14 months and discoverable via a Google search for almost 11 months.
The Commissioner was also satisfied that:
- following the 2011 breach, Telstra was aware of particular security risks with Telstra’s management of the platform
- it was a reasonable step to implement security processes and procedures to address the heightened risk environment
- had Telstra followed its own processes, it may have prevented or mitigated the effects of the breach, and
- in order to satisfy the requirements of NPP 4.1, ‘reasonable steps’ in the circumstances required both the implementation of reasonable security procedures and adherence to them.
Further, Telstra failed to take steps such as vulnerability testing and monitoring despite its awareness of the heightened risk environment.
Based on the considerations set out above, the Commissioner found that Telstra contravened NPP 4.1, by failing to take reasonable security steps to protect the personal information it held from misuse and loss and from unauthorised access, modification or disclosure.
Secure destruction or permanent de-identification of personal information that is no longer required (NPP 4.2)
NPP 4.2 requires organisations to take reasonable steps to destroy or permanently de-identify personal information that is not being used or disclosed for any purpose under NPP 2 (in other words, where the personal information is no longer required). To comply with this obligation, an organisation must have systems or procedures in place to identify information the organisation no longer needs, and a process for how the destruction or de-identification of the information will occur.
The source files compromised in the data breach contained information from 2009 and earlier. Telstra was unable to initially determine the purpose of the compromised data and subsequently stated that it was retained in accordance with its document retention policy (a copy of that policy was provided to the Commissioner). However Telstra did not identify any particular provisions in the document retention policy that required the source files to be retained on the platform.
Telstra also advised that because the information in the source files was between four and seven years old, it did not have an immediate commercial need for the data.
The Commissioner noted that information that is not current may still cause harm in the event that it is compromised, for example, it may be used for identity theft purposes.
Telstra did not demonstrate that in this instance it had systems in place to identify personal information that was not being used or disclosed for a purpose under NPP 2. Further, the Commissioner did not consider any of the information provided by Telstra to indicate that Telstra had adequate processes in place to destroy or de-identify information that was no longer in use.
Therefore, the Commissioner found that Telstra failed to take reasonable steps to destroy or permanently de-identify the personal information held on the platform that was no longer needed for any lawful purpose, in contravention of NPP 4.2.
Disclosure of personal information (NPP 2.1)
As part of the investigation, the Commissioner considered whether there had been a breach of NPP 2.1 in relation to the publication of customer information online by Telstra. NPP 2.1 regulates the use and disclosure of personal information and states that organisations may only use or disclose personal information for the primary purpose of collection, unless an exception applies.
In general terms an organisation ‘discloses’ personal information when it releases information, whether purposely or accidentally, to others outside the organisation.
Telstra is aware of at least 166 unique downloads of the source files by IP addresses that are not associated with Telstra or its affiliates. The Commissioner found that this occurred as a result of Telstra allowing the source files to be made publicly accessible online, following implementation of the incorrect access control setting.
Therefore, the Commissioner found that the external accessibility of customers’ personal information held on the platform was a disclosure in breach of NPP 2.1.
Rectification
The Commissioner found that Telstra acted appropriately in responding to the data breach. After being notified of the breach, Telstra:
- disabled all public access links to the source files containing the customer data, and requested Google to clear all relevant caches
- reported the incident to the ACMA and the Telecommunications Industry Ombudsman
- requested that the third party provider commence an internal investigation and report back to Telstra, and
- notified affected customers, and developed a process to enable resellers’ end users to change their number as required.
To prevent future data breaches, Telstra also conducted internal reorganisation to support the central management of software and platforms by Telstra IT, increased security controls, recommended an internal review into Telstra’s use of SaaS solutions (including monitoring and ensuring that solutions employ reasonable security steps), and established a Security Exploration Team tasked with searching for any Telstra customer data that may be accessible publicly or through search robots.
As of 31 December 2013, Telstra decommissioned all instances of the platform and migrated to an internal platform managed by Telstra IT.
Telstra will also establish a clear policy for central software management (including information security arrangements), review contracts relating to personal information handling (including by enhancing Telstra’s control over third party providers), implement a data loss prevention program, adopt a Privacy by Design strategy, and exit its contract with the third party provider.
Recommendations
Telstra is responsible for the personal information of millions of Australians. It has both a legal and corporate responsibility to take all reasonable steps to ensure personal information is protected.
The Commissioner has requested and Telstra has agreed that Telstra engage an independent third party auditor by 12 March 2014 to certify that Telstra has implemented the planned rectification, and that the certification be provided to the Commissioner by 30 June 2014. This will help ensure Telstra is well placed to comply with the reforms to the Privacy Act that apply from 12 March 2014.
The Commissioner has also recommended that Telstra review its Document Retention Policy to ensure it meets the requirements of the Australian Privacy Principles.
Conclusion
The Commissioner found that Telstra:
- failed to take reasonable steps to ensure the security of the personal information that it held, in contravention of NPP 4.1
- failed to take reasonable steps to destroy or permanently de-identify the personal information it held in contravention of NPP 4.2, and
- disclosed personal information other than for a permitted purpose, in contravention of NPP 2.1.
Telstra acted appropriately in response to the data breach by immediately disabling all public access links to the source files containing the customer data.
Since the data breach, Telstra has undertaken an appropriate review of the incident and data involved, and taken appropriate steps to notify potentially affected customers. Telstra has also partially addressed the OAIC’s recommendations and is in the process of addressing those remaining.
Based on the information from Telstra about its review and remediation of the data breach and Telstra’s ongoing implementation of recommendations made by the OAIC, the Commissioner decided to close the investigation.
The ACMI decision, absent footnotes, provides:
Findings
The Australian Communications and Media Authority (ACMA) has found that Telstra Corporation Ltd (ABN 33 051 775 556) (Telstra) contravened clause 4.6.3 of the Telecommunications Consumer Protections Code C628:2012 (TCP Code) from 1 September 2012 to 15 May 2013, by failing to protect from unauthorised use or disclosure the personal information of 15,775 customers which was able to be accessed online. The ACMA has found that this conduct also contravened the direction given to Telstra by the ACMA on 3 September 2012 under subsection 121(1) of the Telecommunications Act 1997 (the Act).
Background
- This report presents the findings of an investigation conducted by the ACMA into Telstra’s compliance with clause 4.6.3 of the TCP Code, and consequently with the direction given to Telstra by the ACMA on 3 September 2012 to comply with clause 4.6.3 of the TCP Code.
- The current TCP Code has been registered under Part 6 of the Act since 1 September 2012. It contains rules about how carriage service providers (CSPs) deal with their residential and small business customers. The rules apply to a range of CSP business practices, including the protection of personal information.
- Telstra is one of the main providers of telecommunications services in Australia. Telstra is a carrier and a CSP within the meaning of the Act and a Supplier for the purposes of the TCP Code. Telstra is therefore required to comply with the provisions of the TCP Code.
- On 3 September 2012, a direction was given to Telstra to comply with clause 4.6.3 of the TCP Code following an ACMA investigation into an incident identified in December 2011 (the December 2011 incident). The December 2011 incident involved the names and in some cases the addresses of approximately 734,000 Telstra customers, and the usernames and passwords of up to 41,000 of those customers, being found to be publicly available and accessible on the internet during the period from 29 March 2011 to 9 December 2011.
Relevant facts
5. In May 2013, Telstra contacted the ACMA to advise that it had learnt, via a journalist, that the names, phone numbers and addresses of around 15,775 Telstra customers had been available on the internet (the May 2013 incident).
6. Telstra subsequently confirmed that the information had been available from June 2012 to May 2013 and related to customer information from between 2006 and 2009. The records included the information of 1,257 active silent line customers. Of these, 950 related to Telstra retail customers, while 307 related to end users of Telstra’s wholesale customers. Telstra also advised that there were at least 166 unique downloads of these records.
7. Telstra met with the ACMA to discuss the May 2013 incident on 15 October 2013 and provided the ACMA the Data Incident Report—May 2013 (the data incident report) the following day. The report outlined the reasons for the incident and the steps Telstra was taking to prevent such an incident from happening again.
8. Having considered the information provided, on 18 October 2013 the ACMA commenced an investigation into Telstra under paragraph 510(1)(c) of the Act.
9. Clause 4.6.3 of the TCP Code states that:
Personal information: A Supplier must ensure that a Customer’s or former Customer’s Personal Information is protected from unauthorised use or disclosure and dealt with by the Supplier in compliance with all applicable privacy laws.
A Supplier must take the following actions to enable this outcome:
(a) Storage: have robust procedures for storing its Customers’ Personal Information in its possession which are followed by its staff;
(b) Security: have robust procedures to keep its Customers’ Personal Information in its possession secure and restrict access to personnel who are authorised by the Supplier; and
(c) Breach: ensure its staff understand that they may face disciplinary action if they breach the Supplier’s privacy procedures, the Privacy Act or other privacy laws.
10. As explained in the introductory statement to the TCP Code, code rules are generally organised in two parts: a higher level outcome followed by some actions required to enable that outcome (emphasis added). Accordingly, it is possible for a supplier to contravene the higher level ‘outcome’ part of a rule without having separately contravened the ‘actions’ part.
11. The TCP Code adopts the definition of “personal information” under section 6 of the Privacy Act 1988 (Privacy Act), which defines personal information to include: information about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. In the ACMA’s view, the customer information disclosed in the May 2013 incident is “personal information” within the meaning of the Privacy Act and of “Customer Personal Information” within the meaning of the TCP Code.
12. On 6 November 2013, the ACMA provided Telstra with the preliminary findings of this investigation. Telstra provided a response to those findings on 25 November 2013. On 14 January 2014, Telstra met with the ACMA to give further context about the challenges involved in testing access controls on an ongoing basis. Telstra’s further submissions have been considered prior to the ACMA forming a final view, and have been referred to in this report where relevant.
Findings and Reasons
Compliance with the TCP Code
13. The ACMA has considered Telstra’s compliance with clause 4.6.3 of the TCP Code having regard to:
- Telstra’s letter to the Australian Privacy Commissioner dated 23 May 2013, which provided the OAIC with formal notification of the May 2013 incident;
- Telstra’s letter to the ACMA dated 26 August 2013, which provided the ACMA with an update on Telstra’s investigation into the May 2013 incident;
- Information provided by Telstra at the 15 October 2013 meeting;
- The data incident report dated 16 August 2013;
- The submission provided by Telstra on 25 November 2013 in response to the ACMA’s Preliminary Investigation Report; and
- Information provided by Telstra at the 14 January 2014 meeting and confirmed by email on 20 January 2014.
Cause of the May 2013 incident
14. Telstra has stated that the May 2013 incident was caused by the deployment of a software solution on 24 February 2012 by an external provider. The software solution was intended to increase the character limit of an Internet Protocol (IP) white list access control, to enable more authorised users to access certain internal documents (a customer churn database). While this aim was achieved, the solution also inadvertently resulted in a small proportion of files ceasing to be protected by the white list access controls. This led to a small proportion of spreadsheets containing customer data being indexed by Google on 23 June 2012, which were then able to be found online using a specific Google search.
15. Telstra states that at the time the software solution was deployed, it assumed that the external provider would continue to deliver a secure solution, and had no reason to believe that existing protections against unauthorised access would not continue to apply. Telstra’s investigation into the incident suggested that Telstra did not undertake a detailed review of the software solution deployed on 24 February 2012. While Telstra has stated that it thinks it is unlikely that additional testing would have identified the design flaw, in the data incident report it nevertheless acknowledges that additional review and testing should have been undertaken prior to the acceptance and deployment of the software solution.
Relationship to the December 2011 incident
16. In its letter to the ACMA dated 26 August 2013, Telstra notes that while the May 2013 incident involved the same technology platform as the December 2011 incident, the circumstances and cause of each incident were very different. In its response to the ACMA’s Preliminary Investigation Report, Telstra states that while the December 2011 incident was partly caused by internal administrative failings, the May 2013 incident resulted from a software solution entirely controlled by an external provider. Telstra states that in respect of the May 2013 incident it necessarily relied on the external provider to establish and maintain appropriate security controls.
17. The ACMA notes that the access control failures which ultimately led to the May 2013 incident occurred in the period immediately after the December 2011 incident. Telstra has advised that during this period, it was in the process of transitioning management of the external provider’s platform to its IT area. While the data incident report notes that there were interim processes in place (including a special mailbox that was to be used to ensure software changes were reviewed by a security team), these processes were not followed when the software solution was deployed. While it appears that a Telstra employee tested the solution to ensure that authorised users were able to access the relevant documents, no test was undertaken to determine whether the documents could also be accessed by unauthorised users.
18. Telstra has acknowledged that there should have been more awareness about the need to closely monitor changes to access controls, particularly since the February 2012 software upgrade occurred so soon after the identification of the December 2011 incident.
Compliance with clause 4.6.3 of the TCP Code
19. As customer information was able to be accessed online as described above, the ACMA has found that Telstra failed to ensure that customer’s and former customer’s personal information was protected from unauthorised use or disclosure and dealt with in accordance with all applicable privacy laws.
20. The current TCP Code came into operation on 1 September 2012. The ACMA has therefore found that Telstra breached the headline clause of 4.6.3 of the TCP Code in respect of the May 2013 incident from 1 September 2012 to 15 May 2013, by failing to protect customer information during this period.
21. In its response to the Preliminary Investigation Report, Telstra argues that clause 4.6.3 of the TCP Code is satisfied if a provider takes the steps set out in subclauses (a), (b) and (c). It submits that the ACMA cannot assess breaches of the headline clause and the subclauses of the provision separately. As foreshadowed in paragraph 10 above, the ACMA does not accept this interpretation. The headline or ‘outcome’ clause creates a distinct obligation and a provider can be found to be in contravention of that ‘outcome’ obligation even if it has not separately contravened an ‘actions’ obligation. The ACMA has assessed Telstra’s compliance with clause 4.6.3 accordingly.
22. The ACMA also notes Telstra’s submission that compliance with clause 4.6.3 of the TCP Code should be assessed with reference to the requirement to take ‘reasonable steps’ to protect personal information set out in the National Privacy Principles.While noting that clause 4.6.3 of the TCP Code refers to compliance with applicable privacy laws, the ACMA considers that this reference is additional to the requirement to protect customer information from unauthorised use or disclosure and does not operate to import the concept of ‘reasonable steps’ from the Privacy Act with respect to the other requirements set out in that clause.
23. Telstra has submitted that it did take reasonable steps to protect customer information and it is not reasonable to expect it to conduct ongoing testing of software solutions in circumstances where testing is unlikely, for technical reasons, to reveal vulnerabilities. Telstra has advised that 6 out of over 56,000 different URL pathways were not protected by access controls, and they were only accessible through a specific and targeted URL search. The ACMA notes that clause 4.6.3(b) of the TCP Code requires a supplier to have robust procedures to keep its customer information secure and restrict access to authorised personnel. At the meeting on the 14th of January, Telstra advised that it had procedures in place to search for Telstra data which may have been disclosed or inadvertently made publically accessible. However, the ACMA notes that the incident was discovered by a journalist’s source, not by Telstra, and that the customer information in question was accessible for at least 11 months. The ACMA also notes that there were at least 166 unique downloads of these records, indicating the records may have been accessed by multiple people. The ACMA therefore considers it reasonable to conclude that the information could also have been found by Telstra, if it had robust procedures in place to protect customer information.
24. The ACMA is of the view that while every effort should be made to prevent unauthorised disclosure of customer information, providers should also have processes in place to address any problems that may not have been picked up initially, to ensure customer information is protected.
25. Telstra also submitted in its correspondence of 25 November that the May 2013 incident concerned a solution which was entirely controlled by by the external provider, and that it relied on that provider to establish and maintain appropriate security controls. However, any reliance on the external provider has no bearing on whether Telstra breached clause 4.6.3. The TCP Code establishes an outcome which Telstra itself must deliver when dealing with customers, irrespective of any ‘outsourcing’ arrangements it makes. Alternatively expressed, Telstra may (and no doubt often does) outsource various services but it cannot outsource its regulatory obligations when expressed in the form that clause 4.6.3 represents.
26. In any event, Telstra’s August data incident report sensibly acknowledges that a more detailed review should have taken place to minimise the risk of a security issue, particularly as the solution was deployed shortly following the discovery of the December 2011 incident.
27. From the evidence provided, the ACMA considers that Telstra did not have robust procedures in place from 1 September 2012 to 15 May 2013 to ensure, on an ongoing basis, that access controls remained secure, and that unauthorised users could not access customer databases. This resulted in Telstra failing to address the data breach and customer information remaining available online during the specified period. While the ACMA acknowledges that having robust procedures in place may not guarantee the prevention of a security breach in every instance, it is Telstra’s responsibility to implement procedures to ensure that the personal information of its customers is kept secure.
28. Accordingly, the ACMA has found that Telstra has contravened clause 4.6.3 of the TCP Code from 1 September 2012 to 15 May 2013, by failing to ensure that customer’s and former customer’s personal information was protected from unauthorised use or disclosure and by failing to have robust procedures in place to keep customers’ personal information in its possession secure and restrict access to authorised personnel.
Compliance with the 3 September 2012 Direction
29. In its response to the Preliminary Investigation Report, Telstra submits that it did not breach the direction given to it by the ACMA on 3 September 2012 to comply with clause 4.6.3 of the Code. It argues that even if it were to accept that there was a failure to adequately test the access controls on the platform supplied by the external provider, the failure occurred when the software solution was deployed in February 2012, 6 months before the direction was issued.
30. The ACMA accepts that the underlying cause of the May 2013 incident occurred before the direction was given. However, from the time that the direction was given on 3 September, customer information remained available on the internet for over eight months. Telstra therefore did not protect this customer information from unauthorised use or disclosure during this period. As discussed in paragraphs 23 to 28, there do not appear to have been robust procedures in place to protect customer information. Given the nature of the December 2011 incident, and the fact that Telstra had been issued a direction to comply with clause 4.6.3 of the Code on 3 September 2012, the ACMA considers it reasonable to expect that Telstra would implement procedures not only to prevent privacy breaches, but also to address any breaches that may not have been caught initially.
31. The ACMA has found that the failure to comply with clause 4.6.3 was the result of deficient processes and procedures. As noted in paragraph 27, it is apparent that a robust process to keep customers’ personal information in its possession secure and restrict access to authorised personnel did not exist during the period from 1 September 2012 to 15 May 2013. This is despite Telstra undertaking to implement improved security and data control procedures following the December 2011 incident.
32. For the reasons outlined above, the ACMA has found that Telstra breached the direction from 3 September 2012 until 15 May 2013 by failing to ensure customer information was protected from unauthorised disclosure and by failing to have robust procedures in place to keep customers’ personal information secure.
Telstra’s response to the May 2013 incident
33. The information provided by Telstra indicates that as soon as it became aware of the data breach, it took steps to disable all public access links to the source and to have Google caches cleared to ensure that the data could not be accessed via a Google search. External access was removed before the incident was publicised in the media.
34. Telstra then took steps to contact all affected customers, and offer remediation as appropriate. It also implemented strategies to ensure affected customers of wholesale partners were contacted.
35. Telstra has advised in its letter of 26 August 2013 that as a result of the May 2013 incident, it is developing a new internal policy and procedure to ensure adequate review of software solutions.
36. Telstra states that it has implemented a number of measures to prevent future data breaches where possible, and to enable it to identify them where they do occur. These measures include:
- exiting the platform supplied by the external provider in December 2013;
- introducing more stringent information security controls around the procurement and management of software solutions;
- establishing a “Security Exploration Team” to proactively search for any Telstra customer data that may be accessible online;
- implementing a “Data Loss Prevention” program to improve security of customer data;
- reviewing the management of third party providers to ensure they are aware of privacy and security requirements; and
- developing and initiating a campaign to improve staff awareness of information security and privacy issues.
37. The ACMA considers that if effectively implemented, the above initiatives should improve Telstra’s ongoing compliance with clause 4.6.3 of the TCP Code.