09 December 2011

Wrathful sheep?

Another day, another data breach. This time it' involves Telstra, which according to the SMH "faces the wrath of the Federal Privacy Commissioner after leaving customer details of potentially millions of customers exposed on the web including, reportedly, usernames and passwords". Oh dear, the fiercesome wrath of an arthritic and timid sheep, a creature whose wrath is so very scary that it's ignored by the telecommunications industry.

The customer information was supposedly exposed through a search page used by "Telstra customer service agents", apparently counterparts of the Vodafone dealer network highlighted here, here and here. The data was not encrypted, with Telstra relying on security by obscurity.
Telstra hastily tore down the site after it became aware of the breach late this afternoon but not before computer security experts showed that it could be used to access customer details including their account numbers, broadband packages, technician visits and, in some cases, their email’s usernames and passwords.

Media reports suggested credit check details were also accessible but that was not confirmed by Telstra. ...

Alarmingly, Telstra said it was unsure how many customers' details were potentially breached.

"(It's) unsure at this stage, it appears to be limited to bundled customers but we don't know how many," a Telstra spokeswoman said.
An update of last night's report states that -
Anyone who visits the page can search Telstra's customer database based on the customer's last name, account number, sales force ID or reference number.

They are then presented with detailed information outlining the customer's account number, what broadband plan they're on, what other Telstra services they're signed up to and notes associated with the customers' accounts including in many cases their usernames and passwords.

There are also other details about technician visits, SMS messages sent to private mobile numbers and credit check details ...

When informed of the site being accessible a Telstra spokeswoman said in a statement: "Telstra takes its customers' right to privacy very seriously and is taking immediate action to resolve this issue. We will investigate and keep our customers fully informed."

They later said: "We apologise to customers who may have been impacted by this issue. Telstra takes its customers privacy seriously".
So seriously, apparently, that it didn't anticipate an obvious problem.

Fear not, "The privacy commissioner had been made aware of the breach and a full investigation and report into the lapse would be prepared as soon as possible" and of course Telstra "would also move as quickly as possible to notify customers of the breach and maintain transparency around reporting details of the incident".

It's time to question notions of "reasonable practice" and hold telcos to a meaningful standard rather than simply excusing problems on the basis that 'everyone in the industry is doing it'. It is also time to consider regulatory incapacity.

In a subsequent ABC report the Australian Communications Consumer Action Network (ACCAN) commented that
a Telstra database with up to 1 million customers' personal details was left open for anyone to view.

"We wanted to test it and we did and sure enough it was readily available - things like passwords, the details of problems having or wanting to change bundles," she said.

"Basically any contact that you would have with the customer centre about your bundle was readily available for anyone to see."

Ms Davidson says it is "almost unbelievable" that Telstra could let the bungle occur.

"ACCAN have been speaking to Telstra. They are obviously taking it very very seriously and are investigating," she said.

"It is hard to imagine how an error of this magnitude has happened, has been allowed to happen for a company the size of Telstra, with the number of the customers they have."
In my initial comment on the Vodafone debacle I suggested that there were problems across the industry, rather than merely in one network. It is time for investigation by ACMA if the national Privacy Commissioner lacks the expertise, the resources, the legislative charter or merely the vision to examine what is going wrong.

The Commissioner does have the authority to conduct 'own motion' investigations, need not wait for complaints by members of the public and might usefully emulate Australian and overseas peers in actively examining what is going on. Both the Australian community and industry need more than a wrathful sheep, an animal that although well meaning has clearly not persuaded major corporations to move to best practice and has not inspired action through fear of its mighty "wrath".