A joint investigation by the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) has fined Telstra after the personal details of 15,775 customers leaked on to the internet.
The investigation found that between February 2012 and May 2013, the personal information from more than 15,775 Telstra customers, including 1257 active silent line customers, was accessible on the internet.
The investigation was launched following a complaint that the names, phone numbers and addresses had been accidentally made available to be viewed on the internet.
During the investigation, Telstra confirmed the records were downloaded by at least 166 unique users.
Get daily business news.
The latest stories, funding information, and expert advice. Free to sign up.
In a report published today, Privacy Commissioner Timothy Pilgrim found Telstra breached privacy laws by failing to take reasonable steps to ensure the security of the personal information it held and didn’t reasonable steps to destroy or permanently de-identify the personal information it held.
The incident was also found to be a disclosure of personal information other than for a permitted purpose, while a separate ACMA report also found the carrier breached clause 4.6.3 Telecommunications Consumer Protections Code.
Aside from receiving a $10,200 fine from ACMA, the telecommunications giant has agreed to stop using the software responsible for the error, implement a clear policy for central software management, and review contracts with third parties relating to personal information-handling.
In a statement, Pilgrim says businesses need to be careful to fulfil their privacy obligations.
“This incident is a timely reminder to all organisations that they should prioritise privacy. All entities bound by the Privacy Act must have in place security measures to protect personal information.
“This incident provides lessons for all organisations—there is no ‘set and forget’ solution to information security and privacy in the digital environment. Organisations need to regularly review and improve security systems to avoid data breaches.”
Meanwhile, ACMA chairman Chris Chapman says the case is a reminder of the privacy obligations of telecommunications carriers.
“The ACMA welcomes Telstra’s agreement to the Privacy Commissioner’s recommendations.
‘Telco providers are in a position of trust with respect to their customers’ details and with it comes a weighty responsibility—a fact reflected in the outcomes mandated by the TCP Code.”
The latest case is the latest in a string of investigations by OAIC into the carrier.
In December 2011, the personal details of approximately 734,000 Telstra customers were accidentally made available online in December 2011, while a mailing list error resulted in 220,000 letters being sent
As SmartCompany reported yesterday, the findings come just one day before new privacy legislation comes into force.
Under the new legislation, businesses could be fined up to $1.7 million per breach of the new regulations, which aim to bring Australia’s privacy laws up-to-date with technology trends.