Telstra lists private numbers
Telstra has accidentally disclosed thousands of unlisted phone numbers.
The Australian Communications and Media Authority (ACMA) has identified a significant breach by Telstra Limited involving the unauthorised disclosure of unlisted phone numbers.
The investigation by ACMA revealed that Telstra breached its carrier licence conditions over 163,000 times, affecting more than 140,000 customers who had requested their numbers be kept private.
The breaches primarily occurred between 2021 and 2022, with Telstra mistakenly publishing 24,005 unlisted numbers in the White Pages directory.
Additionally, Telstra included 139,402 unlisted numbers in its directory assistance database, which is used by operators for services such as Call Connect and Directory Assistance.
In some cases, customer details were exposed in both the White Pages and the directory assistance database.
“While we are not aware of any harm to people as a result of these breaches, Telstra failing to safeguard customer information, putting people’s privacy and safety at risk, is a serious matter,” said Samantha Yorke, ACMA member and consumer lead.
“Telstra is entrusted with personal details of millions of Australians and those people have the right to expect that Telstra has robust systems and processes in place to ensure their information is being protected.”
Telstra proactively reported the incidents to ACMA after discovering systemic issues and process failures that led to the unintended disclosures.
In response, ACMA has issued a remedial direction to Telstra, mandating several corrective actions to ensure compliance and prevent future breaches.
The remedial measures require Telstra to reconcile its customer data with the White Pages and directory assistance database every six months.
Furthermore, Telstra must implement a comprehensive training program for its staff and undergo an independent audit of its systems and compliance procedures.
The direction will remain in effect until Telstra successfully implements the audit recommendations to fortify its data protection mechanisms.
Failure to comply with the remedial direction could result in ACMA initiating civil penalty proceedings in the Federal Court, with potential fines of up to $10 million per contravention.