Telstra pays tiddlywinks for huge privacy breach



blog We couldn’t help but be amused by this media release which Australian Privacy Commissioner Timothy Pilgrim issued this morning noting how Telstra had been reined in for a privacy breach which saw the information of 15,775 customers, including some 1,257 with silent numbers, made available publicly on the Internet between February 2012 and May 2013 (that’s right, that’s more than a year). Pilgrim made a strong statement regarding the issue, saying:

“This incident is a timely reminder to all organisations that they should prioritise privacy. All entities bound by the Privacy Act must have in place security measures to protect personal information.”

And Telstra has agreed to undertake a number of actions, including exiting the software platform on which the incident occurred, establishing a clear policy for central software management, and reviewing contracts with third parties relating to personal information-handling.

However, we can’t help but suspect that the telco considers itself to have gotten off relatively scot-free from the debacle, paying an infringement notice of only $10,200 in relation to its contravention of an earlier direction on the issue by the Australian Communications and Media Authority. Just to remind people: Telstra made headline sales revenue of $25.5 billion in 2013, with net profit of $3.9 billion. A measly $10k should not even be counted as pocket change compared to that sum; it’s not even what, in journalistic parlance, we usually refer to as a “parking fine”. No, in the context of Telstra’s finances, it’s basically nothing.

Of course, as the media release points out, from 12 March this year (that’s tomorrow), new privacy laws will be introduced. The Privacy Commissioner will be able to make a determination, accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders which can range from $340,000 for individuals and up to $1.7 million for companies. That’s certainly a lot more than $10k. But we still think it adds up to not much when we’re talking about companies as large as Telstra.

For more information on what happened, read the Privacy Commissioner’s report here.


  1. Considering the money and annoyance that can be made/occur from this (personal) information by third parties, even the new fines are totally inadequate.

    But it is Telstra. Money first, customers last. Along with a disastrous PR and support history.

  2. According to other media reports, it was 15,775 customers (not 1775, as is written above as I post this comment).

    • Not to mention the fact that Telstra are charging you an ongoing fee for doing the following ONCE, and ONCE ONLY:

      1. Automatically connect to the IPND
      2. Set number flag to “silent”

      So, $6 a month per client to hit a database once and never touch it again. This kind of garbage should be illegal.

  3. So they were fined 65 cents for each breach of privacy. What a joke. There should be some sort of minimum for these kinds of breaches plus an additional sum equal to a proportion of profits/revenue of the offending business. I’m sure that would make a lot of these companies think twice about security surrounding privacy.

Comments are closed.