From February 2012 until May 2013 the names, addresses and phone numbers (including silent numbers) of 15,775 Telstra customers were publicly available online. In response to a complaint from a journalist who had discovered the personal information online, the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) carried out investigations, handing down their findings on the eve of the commencement of the new privacy law regime. The focus of this article is on the OAIC investigation.
Background to data breach
Telstra engaged a third party provider to host its retail customers' personal information on the third party provider's servers.
Telstra requested the third party provider to give access to its retail information via the platform to Telstra's authorised partners. To action this request, the third party provider was to selectively restrict access to Telstra's retail information to only the authorised partners.
When Telstra's request was deployed, the access control was inadvertently 'switched off' and the source files containing the customer's personal information was made publicly available online.
In June 2012, the source files were 'indexed' by Google which made the personal information of 15,775 Telstra customers available via 'Google Search'. A journalist discovered the source files containing the full names, addresses, phone numbers (including silent phone numbers) when performing a 'Google search' on Telstra (among other criteria).
The personal information disclosed on the internet included full names, addresses and phone numbers and included 1,257 customers with silent phone numbers. Around 166 downloads of the 'source file' had occurred. The personal information was from 2009 and earlier. Alarmingly, this breach occurred at the time Telstra was taking remedial steps in response to the same type of breach in 2011.
Prior breaches by Telstra
Telstra had been previously investigated by the Privacy Commissioner for privacy breaches which have been reported as follows:
- in 2013: 35,000 Bigpond Games customers had their privacy breached due to a "hacking attack" of user names and email addresses which resulted in Telstra resetting customer passwords 'as a precaution'
- in 2011: personal information of 734,000 (held on platform discussed above) including drivers licences and dates of birth; was made publicly available online
- in 2010: a mail list error resulted in 220,000 letters setting out customer phone numbers to the wrong customers due to mismatched addresses.
OAIC investigation and findings
The key issues for OAIC were to determine whether Telstra had breached the National Privacy Principles (NPPs) (as they then were) dealing with data security (NPP 4.1 and 4.2) and use and disclosure of personal information (NPP 2.1). This required OAIC to consider whether Telstra had:
- taken reasonable steps to protect customer personal information from misuse, loss, unauthorised access, modification or disclosure
- unlawfully disclosed personal information.
Did Telstra take reasonable steps?
No. The Commissioner found that 'reasonable steps' in the circumstances required reasonable adherence to security procedures. Further, Telstra had not implemented any vulnerability testing and monitoring to maintain security of its personal information, although Telstra was aware of the risk posed by the platform (given the prior breach in 2011).
In addition, the Commissioner found that Telstra had failed to take 'reasonable steps' by not destroying or permanently de-identifying personal information held on the platform. As such, Telstra had not complied with NPP 4.2 as the personal information was no longer needed for a lawful purpose.
Did Telstra unlawfully disclose personal information?
Yes. By Telstra allowing the personal information to be made available online and because 166 downloads of the data had been made, the Privacy Commissioner found that Telstra had unlawfully disclosed the personal information. It did not matter that the disclosure was 'accidental'.
What penalty did Telstra receive?
Telstra paid an infringement notice of $10,200 for failing to comply with a direction under the Telecommunications Consumer Protection Code. The direction to comply was issued by the ACMA. As such, no financial penalty was imposed on Telstra by the Privacy Commissioner.
Apart from payment of the infringement notice, Telstra took steps to rectify the breach by engaging a third party auditor, reviewing its documentation retention and software management policies and notifying affected customers (among others).
What if the privacy breaches had occurred under the new privacy law?
As the new privacy law commenced on 12 March 2014, it is unclear to what extent the Information Commissioner would use and apply its enhanced powers to Telstra's privacy breach. However, given the history of prior and repeated interferences with the privacy of its customers, the maximum fine of $1.7m may have been imposed. Given the payment of around $10,000 it is possible that Telstra avoided $1.69m in penalties.
The Information Commissioner may have accepted an enforceable undertaking that Telstra would take specified action or refrain from taking specified action to comply with the privacy law or that Telstra would not do an act or engage in a practice that interferes with its customers' privacy. If Telstra did not comply, the Information Commissioner may apply to the courts to enforce the undertaking.
Further, as the privacy breach was notified to the OAIC in response to a complaint made by a member of the public, the Information Commissioner is now obligated to conciliate the matter and investigate the complaint, provided the Information Commissioner is satisfied that the act interferes with the privacy of an individual or where further action is warranted, given the circumstances.
How we can help you?
Our Privacy and Data Protection Team can assist you with your privacy law needs. Please contact a member of our team to discuss your specific requirements further.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.