Australian personal information being sold by corrupt at offshore call centres

November 16, 2016 |

Under the Australian Privacy Principle 8.1 an organisation must:

Before an APP entity discloses personal information about an individual to a person (the overseas recipient):

  1. who is not in Australia or an external Territory; and
  2. who is not the entity or the individual;

the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

In short an organisation must take reasonable steps to ensure whoever holds personal information overseas doesn’t breach the APPs.

There is clearly a breach of this principle by at least one security firm in Mumbai where its employees are selling personal information of Australians held by Vodafone, Telstra and Optus for between $350 and $1,000.  The story, Your mobile phone records and home address for sale provides:

 Corrupt insiders at offshore call centres are offering the private details of Australian customers of Optus, Telstra and Vodafone for sale to anyone prepared to pay.

A Fairfax Media investigation can reveal Mumbai-based security firm AI Solutions is asking between $350 and $1000 in exchange for the private information, but even more if the target is an Australian “VIP, politician, police, [or] celebrity”.

AI Solutions is just one of potentially several private companies selling phone records, home addresses and other private details of Australian telecommunication company customers. They in turn have received the information from employees of the call centres used widely by Australian businesses.

Security industry sources said the practice has been long-standing. AI Solutions has told customers it has sold people’s personal data for several years.

Optus has called in the federal police to investigate the data breach after it was contacted by Fairfax Media.

Optus, Telstra – which is holding an investor briefing in Sydney on Thursday – and Vodafone have stressed they are aware of the problem and have invested heavily in security procedures to counter it.

The revelation underscores the risks facing Australian consumers and businesses as a vast amount of personal or private data is collected and often stored offshore by service providers, financial institutions and government agencies.

It also raises fresh concerns about risks faced in using offshore call centres, where it may be more difficult to ensure data security.

AI Solutions actively markets its services to prospective Australian clients via an Indian businessman who uses the name Imran Khan. It is unclear if this is a false name.

But Fairfax Media has confirmed that AI Solutions has previously, and on numerous occasions, sold Australians’ personal data to third parties.

It recently wrote to a Melbourne corporate intelligence and security company, boasting that it has a “long list” of Australian clients buying data from the offshore call centres.

“There are … 3 major telecom numbers details I can provide you. Telstra, Vodafone and Optus,” the Indian company’s representative wrote in a text message to a prospective client seen by Fairfax Media.

The company charges $350 to provide a person’s home address and charges $1000 for a “full extract”. This includes a person’s home address, date of birth, alternative phone numbers and “more than 1 years billing statements” and “calling data history”.

“And for VIP, politician, police, celebrity, charges are different,” one message said.

While the data being illegally sold will not contain the actual content of text messages or what has been said during phone calls, it does contain information about who a person has called, the location at which a call is made and other sensitive data and metadata.

This information could be of use to companies engaged in corporate spying or intelligence gathering, private investigators, marketing firms and organised criminals seeking to engage in identity fraud, or to locate people. It is possible that foreign intelligence services could also use the data theft service.

The Indian firm requests payment via Western Union or Money Gram remittance services.

In his LinkedIn profile, “Imran Khan” writes that he is capable of “Under-Cover Operations, Property Investigation, Mobile Investigation” and “Interception in mobile communications technology in certain telecom companies”.

When asked for comment, “Imran Khan” replied in a message: “I spoke my attorney [sic] he said for your interview it will cost you 10,000$ aud. if you want to know the process and clients list ‘ because I guess I’m not doing anything unofficial ‘. Before going ahead make sure you have proper evidence ‘ or be ready for my claim (allegations) I have family in Australia too’. As I will get three claim. For three states.”

He later reduced his price for an interview to $8000.

An Optus spokesman said the matter had been referred to the Australian Federal Police and that “Optus is aware that a third party has attempted to infiltrate our call centres seeking access to customer data”.

Vodafone said in a statement that it is “aware there are individuals who do attempt to illegally access data through various channels from companies and organisations which hold customer information”.

“We would urge anyone who may have information about potential privacy breaches to report it to us for investigation and referral to authorities,” Vodafone said.

Telstra said in a statement that it was “aware this type of sophisticated criminal activity does take place from time to time across most industries and we do everything we can to protect our customers’ data”.

It urged customers who believed their data may have been breached to contact it so it could investigate and refer to police.

The Australian Federal Police said it had spoken with Optus and Vodafone and had subsequently provided information to Indian authorities.

Al Solutions has been approached for comment.

While it is within the purview of the Police to investigate this is a matter as much about regulation of the Privacy Act.  That means an investigation by the Privacy Commissioner.

One Response to “Australian personal information being sold by corrupt at offshore call centres”

  1. Australian personal information being sold by corrupt at offshore call centres | Australian Law Blogs

    […] Australian personal information being sold by corrupt at offshore call centres […]

Leave a Reply