Telstra suffers another data breach

5

davidthodeytelstra

blog It hasn’t been a good few years for the nation’s biggest telco Telstra when it comes to data breaches. It almost seems like every three to four months, there’s a new chunk of Telstra’s customer data leaked onto the public Internet, and the company has to make yet another apology to those affected, as well as kicking off another ‘review’ of its systems. News of the latest blunder comes from the Sydney Morning Herald, which writes (we recommend you click here for the full article):

“Fairfax found approximately 1677 customer records in one of the spreadsheets, which contained Telstra customers’ names, phone numbers, plan names and home addresses. A further three spreadsheets contained 8201 customer records that contained only names and telephone numbers, but not home addresses.”

Telstra has already attempted to apologise and clean up its mess. The company’s executive director of customer service for its consumer division, Peter Jamieson, writes on Telstra’s Exchange blog today:

“When we learnt some of our customers’ details were publicly available we immediately convened a team to have access to the data removed and commence an investigation. It is not acceptable, under any circumstances, for this to happen. Telstra takes seriously the confidentiality of all its customers’ data – our customers trust us and we recognise the responsibility this trust means to get this right. We have to do everything possible not to breach that trust.

We are still investigating what happened and the team worked round the clock last night looking through the data and trying to pinpoint how this actually happened. While some of the information is generally available, such as names, addresses and telephone numbers and up to six years old, we are acutely aware of the possibility that some of the information may be sensitive to some. We will take all steps to identify these customers and work with them on an individual basis. Additionally we will be contacting all customers whose information was inadvertently made available.

We take our customers’ privacy seriously; we have sophisticated tools and techniques and skilled people working on risks and privacy-related projects protecting the security of our customers’ information. What has happened is unacceptable, I apologise and assure everybody that we’ll find out exactly what has happened here and do everything we can to make sure this does not happen again.

Of course, not everyone believes that Telstra will be able to stop this kind of thing happening in future. Networking engineer and outspoken industry commentator Mark Newton wrote in response to Jamieson’s apology that he didn’t quite believe it:

“Telstra shows a pattern of behaviour around lack of respect for customer privacy, which includes this latest episode, prior examples of confidential information showing up on public websites, shipping customer clickstreams offshore without telling them during product trials, inspecting their communications content with Deep Packet Inspection equipment. We all know that despite fulminations about how this kind of thing mustn’t happen again, it actually will. It’ll keep happening until Telstra implements cultural change to prevent it.”

Personally, I’m willing to cut Telstra a little break when it comes to this kind of thing. After all, when you consider the amount of data that an organisation the size of Telstra actually stores, and how many employees it has, it’s probably surprising that it doesn’t leak bits and pieces more. This doesn’t excuse the practice — the best companies are good at guarding against this kind of thing — but it is useful context.

Image credit: Telstra

5 COMMENTS

  1. The size of Telstra’s customer base would rival some banks around the world but not the big banks or insurance companies how come I don’t hear about them leaking spreadsheets full of customer details online? If a bank or insurance company did leak this amount of detail they would be facing investigations and fines wouldnt they but Telstra seem to be self regulating in this area.

    • At the risk of appearing overly cynical, leaking information on customers hurts the bank directly – those details can be used against the bank to commit fraud. Telstra leaking customer information hurts only the customers.

      Self interest is a reasonable motivator.

  2. As long as there are no criminal penalties for these kinds of leaks that threaten to disrupt business operations businesses will continue to play roulette with security and customer data. Because the cold hard reality is it costs a lot less dealing with data breaches as they occur rather than finding the finds to do a comprehensive review of their entire systems. If large numbers of customers were willing to take their business elsewhere as a result they might start to take things seriously, but most Telstra customers lack the technical literacy to even understand what a data breach is, much less care (or recognise that Telstra’s failure to secure customer data is a valid reason for early termination of a contract period without financial penalty).

Comments are closed.