The Australian Communications and Media Authority (ACMA) has found that Telstra breached its customer privacy obligations when the personal information of about 734,000 of its customers was made available online.
ACMA stated in its investigation report that it is ‘of the view that Telstra Corporation Limited (Telstra) has contravened clause 6.8.1 of the Telecommunications Consumer Protections Code (the TCP Code) by failing to protect the privacy of the names and in some cases the addresses of approximately 734,000 Telstra customers, and the usernames and passwords of up to 41,000 of those customers’.
Telstra confirmed to ACMA that the privacy of its customers had been severely compromised over a period of nearly nine months by its website. This occurred through its web-based customer management tool, the Visibility Tool.
In an internal report on the breach Telstra found that from June 3 to December 8 the Visibility Tool received 108 access requests a day from unrecognised IP addresses, and that this jumped to 20,498 on December 9 when a story about the breach appeared in media sources.
Despite finding that Telstra had breached the code, ACMA has no powers to sanction or penalise it for its failure or inability to act over the nine month period.
ACCAN CEO Teresa Corbin said “This is a clear and serious breach of the Telecommunications Consumer Protection (TCP) Code. Unfortunately for consumers, the breach amounts to not much in the way of repercussions for Telstra. We strongly believe the ACMA needs stronger enforcement powers in order for the TCP Code to be effective. The ACMA is currently considering a new draft of the TCP Code for registration but our view remains that without effective enforcement, telecommunication providers can continue to seriously breach their obligations without fear of any fines or sanctions from the regulator.
“Telstra customers are rightly furious about this latest incident because it is the third time in less than a year that they’ve had to try to ascertain from Telstra if their privacy has been breached or not. People trust that the companies they do business will take all the necessary steps to protect their information and Telstra has now be found to have seriously breached that trust, the TCP Code and the Privacy Act. ”
ACMA’s powers under the Telecommunications Consumer Protection Code are limited to issuing directions to comply and the issuing of formal warnings, both of which are little comfort to consumers whose privacy has been violated.
CFA member ACCAN has been working for reform of the TCP Code for several years, noting that the weak enforcement provisions are one of the main problems with the current code.
Telstra has since taken steps to remedy this breach of its privacy procedures.
Find the investigation report here.