Another privacy breach by Telstra…

January 23, 2016 |

In Australia telcos tend to be frequent fliers when it comes to poor privacy practices and data breaches. And Telstra and Optus have accrued the most points by far.  The Age reports in Telstra privacy breach leaves customer’s voicemail exposed  another breach, by Telstra.  Mr Thornton does the right thing, wipes his phone by setting to a factory reset, removes the SIM card and then sells the device. Mr Thornton then finds out his old voicemails were being accessed by the new owner of the phone.

This is a bad privacy breach.  The interesting aspect of the piece is the difficulties of getting Telstra to provide assistance.

It provides:

When it was time to upgrade to the latest iPhone, Richard Thornton did what he had done many times before.

He wiped his old iPhone 5 with a factory reset, removed the SIM card, and sold the device second hand to a private buyer.

Melbourne dad Richard Thornton was the victim of a privacy breach.

And then something “scary” happened. The buyer of the iPhone 5 contacted Mr Thornton to tell him he was receiving his personal Telstra voicemail messages.
“They told me, ‘One of your mates called about a gig you were doing for New Year’s Eve,” Mr Thornton, a Melbourne-based IT professional and musician, told Fairfax.

The new phone owner (also a Telstra customer, who wishes to remain anonymous), explained to Mr Thornton that when the iPhone 5 was powered off and then on again, it downloaded Mr Thornton’s voicemail messages to the phone’s inbuilt visual voicemail app, where he could then browse and listen to them in full.

Meanwhile, the new owner was not receiving notifications for his own voicemail, and had to ring up Telstra’s voicemail service manually to check them.

The serious privacy breach, which Mr Thornton detailed on his blog, has stumped both Telstra and Apple, although the responsibility appears to lie with Telstra rather than the iPhone maker.

Mr Thornton said Telstra gave him “the runaround” when he first notified them of the issue, telling him it was “impossible”.

“They said it can’t happen, you must have forgotten something,” Mr Thornton said.

“You mustn’t have reset your Apple ID, or you left your SIM in the phone [before you sold it].

“I thought, no, I work in IT – I kinda know what I’m doing here.”

A Telstra customer service representative told him his only option was to disable voicemail, Mr Thornton said.

After more than 24 hours trying to resolve the issue with Telstra customer service, a senior Telstra engineer apologised to Mr Thornton and confirmed what was already clear: two separate phones were accessing and downloading his personal voicemail.

“He [the engineer] had a direct line to Apple, and [when he told them about the issue] they said, ‘We don’t believe you’,” Mr Thornton said.

Telstra has now implemented a fix which rejects the old phone’s automatic requests to download Mr Thornton’s voicemails. However the telco has yet to determine the root cause of the problem.

“They know what the symptoms are but they don’t know what the cause is,” Mr Thornton said.

Replying to a post by Mr Thornton on Reddit, some suggested the problem may lie in Telstra’s visual voicemail using a mobile phone’s International Mobile Station Equipment Identity (IMEI) number for authentication. An IMEI is a unique number used to identify individual mobile devices.

However a Telstra spokesperson said the telco does not use IMEI numbers to authenticate visual voicemail.

Telstra is understood to not yet have been able to replicate the voicemail duplication issue, but is looking to analyse the individual iPhone 5 device to get to the bottom of the privacy breach.

“We are committed to protecting our customers’ privacy, keeping their personal information safe and ensuring the security of their data,” the Telstra spokesperson said.

It is unclear whether this type of problem has affected any other customers.

Mr Thornton said he was lucky the person who bought his iPhone 5 had been co-operative and forthcoming about the issue, but was worried about the implications for privacy-critical businesses such as law firms or medical and government organisations who resold their digital equipment.

He said he would “probably not” resell an old phone in the future, even though he’d done so three or four times in the past.

A recent Deloitte survey found 27 per cent of Australians give away their old mobile phones, while 8 per cent sell them.


One Response to “Another privacy breach by Telstra…”

  1. Another privacy breach by Telstra… | Australian Law Blogs

    […] Another privacy breach by Telstra… […]

Leave a Reply

Verified by MonsterInsights