The OAIC and the ACMA have published the results of their investigation

Mar 11, 2014 21:56 GMT  ·  By

Telstra, Australia’s largest telecoms and media company, has been fined AU$10,200 ($9,200 / €6,600) after exposing the personal details of 15,775 customers.

The Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) have conducted an investigation into the incident. They’ve determined that the telecoms company breached the Privacy Act when it failed to protect customer data.

The breach was discovered back in May 2013. It turned out that for more than a year, Telstra exposed the names, phone numbers and addresses of thousands of customers by allowing Google to index the information. An investigation has determined that the records, 1,257 of which belonged to silent line customers, were downloaded at least 166 times.

The information belonged to Telstra customers from 2009 and earlier.

The OAIC and ACMA have determined that Telstra violated the National Privacy Principles when it failed to take reasonable steps to ensure that customer information was secured. Furthermore, the Telecommunications Consumer Protections Code, which dictates that telecoms companies protect customer data from disclosure or unauthorized use, was also breached.

“This incident is a timely reminder to all organisations that they should prioritise privacy. All entities bound by the Privacy Act must have in place security measures to protect personal information,” Privacy Commissioner Timothy Pilgrim explained.

The AU$10,200 ($9,200 / €6,600) fine that Telstra has to pay represents an infringement notice for the contravention of a Direction to Comply previously given by the ACMA for a Telecommunications Consumer Protections Code breach.

Telstra has agreed to take measures to prevent such incidents from occurring in the future. The actions include exiting the software platform that allowed for the breach to happen, review contracts with third-parties regarding the handling of personal information, and establish a policy for central software management.

The Privacy Commissioner recommends that the company review its Document Retention Policy to make sure that it meets the Australian Privacy Principles which go into force starting tomorrow, March 12, 2014.

It also advises Telstra to contract a third-party auditor to certify that planned rectifications have been implemented.

“This incident provides lessons for all organisations — there is no ‘set and forget’ solution to information security and privacy in the digital environment. Organisations need to regularly review and improve security systems to avoid data breaches,” Pilgrim added.

ACMA Chairman Chris Chapman noted, “The ACMA welcomes Telstra’s agreement to the Privacy Commissioner’s recommendations. Telco providers are in a position of trust with respect to their customers’ details and with it comes a weighty responsibility — a fact reflected in the outcomes mandated by the TCP Code.”