Data breaches come in all shapes and sizes as Telstra’s addition to the hall of infamy reveals. Telstra reveals personal information onto the web through its own technical error
December 13, 2022 |
Not all data breaches involve criminal acts by hackers breaking into a network and exfiltrating data. Sometimes an organisation will be reveal data through its own actions. Telstra has suffered a data breach involving ‘s data breach impacting 132,000. The breach involved a technical error resulting in it making personal information available on line. Telstra describes it as a misalignment of databases. Technical errors of this nature are not inevitable. Poor planning by IT is a common reason, focusing on the end result rather than the protections needed on the way through, On 31 March 2020, the Federal Court of Australia made publicly available the names of details of several hundred people with cases currently or previously in the Court and the Federal Circuit Court (FCC) through the Commonwealth Courts Portal. Anyone visiting the Portal could have accessed the names and details of a person seeking asylum and information about their claim. The data breach was caused by an internal IT error. The Federal Court should have been investigated by the Information Commissioner. To its credit it did commission a review by Professor John McMillan in August 2020 which resulted in a 38 page report which was, not unusually for the Australian public service, a mix of polite tut tutting, gentle patting on the back for the work done and anodyne recommendations for improvement. If the breach had happened in the United States the landing would have been much bumpier. The Federal Court does have a publicly available data breach response plan. It is fairly bare boned. One would expect a much more detailed plan to be available within the organisation.
Telstra is something of a frequent flier in the data breach world with a data breach in October 2022 with Australia’s Telstra hit by data breach, two weeks after attack on Optus, in May 2021 with Telstra service provider hit by cyber attack as hackers claim SIM card information stolen, in July 2018 with Telstra customer stumbles across contact details of 66,000 fellow customers, in 2018 with Medical records exposed by flaw in Telstra Health’s Argus software and in Telstra privacy breach leaves customer’s voicemail exposed amongst other matters. If Telstra was operating in the United Kingdom or United States the regulators would take very strong and very public action.
The ABC has run a reasonably detailed story with Telstra apologises for accidentally publishing data of thousands of customers online. It provides:
Telstra has apologised to thousands of Australians who had their details published accidentally online by the communications giant.
The company said the release of the names, numbers and addresses of some unlisted customers was not the result of any malicious cyber attack and was a mistake.
“For the customers impacted we understand this is an unacceptable breach of your trust,” Telstra executive Michael Ackland said.
“We’re sorry it occurred, and we know we have let you down.”
Impacted customers are being contacted and offered free services to combat identity theft.
The mishandling of customer data comes in the wake of data breaches at Optus and health insurer Medibank, where poor security processes allowed hackers to steal thousands of customers’ data.
Home Affairs Minister Clare O’Neil has previously blasted companies for poorly protecting customer data, as the government considers tougher laws to crack down on the handling of sensitive information and hackers.
The incidents with Optus and Medibank raised questions about why companies were retaining sensitive data years after they no longer had a use for it.