Telstra Fined For 'Compromising' Privacy of Customers
Telstra has inadvertently published the personal data of nearly 16,000 customers compromising the privacy of its customers.
The personal data of customers were made available via Google search which took the user to the source material. Spreadsheets with personal data were indexed by Google and available for free on the Web. These were some of the compromised data - customers' names, business' names, phone numbers and addresses, as per ABC news.
As per Lifehacker, the breach came to light around May 2013, but the report is out only today.
A Fairfax journalist reported the Telstra customer data had been published. The journalist alerted the telco and informed the Office of the Australian Information Commissioner (OAIC). The OAIC launched a year long investigation into this case with the Australian Communications and Media Authority (ACMA), and the reports are out today.
As per the reports, the agency found Telstra made the information of nearly 16,000 customers available over a period of 15 months during 2012 and 2013.
In a report released on Tuesday, Australian Privacy Commissioner Timothy Pilgrim found the telco had breached privacy laws by releasing the information and failing to take reasonable steps to secure it. He also noted Telstra "acted appropriately in responding to the data breach."
Telstra had already been found guilty in the previous offense in 2011 involving more than 700,000 customers. It was hit with a fine of $10,200, notably a very small amount compared to the humugus damage caused. Based on reports, an external auditor will review at the end of June whether Telstra has fixed all the underlying problems, as claimed by Lifehacker.
"This incident is a timely reminder to all organisations that they should prioritize privacy" owing to the fact that there are too many data breaches happening across the world. Target Retail Stores' POS data breach debacle is another example, Pilgrim added.
Telstra said it has now fixed the problem and it agreed to take actions, including exiting the software platform on which the breach happened. It has vowed to come up with a clear policy for "central software management," and review contracts with "third parties" relating to customer data handling.
Points to be Noted
1) Telstra's data management had been outsourced to an unnamed third-party vendor.
2) Even though the data breach was exposed in February 2012, Google did not index it until June 2012. This meant Telstra had enough time to react and take necessary actions had they been more proactively monitoring its deployment, it might have avoided the data being indexed, as reported by Lifehacker.