The Australian Communications and Media Authority (ACMA) has found that Telstra breached its customer privacy obligations when it leaked the personal information of about 734,000 of its customers to a freely available website.

 

On 9 December 2011, Telstra advised the Australian Communications and Media Authority that the names and in some cases addresses of up to 734,000 Telstra customers had been accessible via a link available on the internet. Usernames and passwords of up to 41,000 of these Telstra customers had also been accessible.

 

“Under clause 6.8.1 of the Telecommunications Consumer Protections Code (TCP Code) a Carriage Service Provider must protect the privacy of each customer’s billing and related personal information,” said Acting ACMA Chairman, Richard Bean.

 

The findings by ACMA come after the Australian Privacy Commissioner also found that Telstra had breached the Privacy Act 1988 for failing to protect the personal information of its users.

 

Telstra explained that they used a web-based customer management tool called the Visibility Tool to track orders for bundled products. Personal information such as usernames, passwords and addresses, and in some cases drivers licence numbers and dates of birth, were publicly accessible on the Visibility Tool from 29 March 2011 to 9 December 2011. The number of customers in the database increased from March to December, peaking at 734,000 customers by December 2011.

 

“We are most concerned about the length of time–more than eight months–during which a significant number of Telstra customers’ personal information was publicly available and accessible,” Richard Bean added.

 

Telstra has been fast to offer an apology, with the company’s Executive Director of Customer Service, Peter Jamieson, saying that Telstra deeply regrets the incident.

 

“We deeply regret the incident. As we did at the time, we sincerely apologise to any of our customers impacted by this incident,” Mr Jamieson said.

 

“An incident like this is unacceptable.  We take our privacy obligations very seriously and invest considerable time and resources in ensuring the privacy of our customers’ personal information.