29 June 2012

Telstra Breach

Last year I noted a large-scale data breach involving Telstra, another one of those recurrent instances that lead to scepticism about industry commitment to best practice in data protection.

The national Privacy Commissioner has today released a gentle report on its own motion investigation of the breach under the Privacy Act 1988 (Cth).

The Commissioner found Telstra to be in breach of National Privacy Principles 2.1 (Use and disclosure) and 4.1 (Data security) - characterised as "easily avoided if appropriate planning was undertaken" - but closed the investigation after reviewing the remediation plans Telstra has in place.

That is consistent with the Commissioner's response to previous incidents involving telcos (eg noted here), albeit this time the Commissioner appears to have sought to head off criticism by stating that
The Privacy Act does not give me the power to impose any penalties or seek enforceable undertakings from organisations I have investigated on my own initiative. However, the privacy law reforms that are currently before Parliament will provide me with additional powers and remedies when conducting such investigations. 
No indication of whether the Commissioner will actually use those "powers and remedies". The OAIC's waste of an opportunity to exhort the telco sector to best practice or even shame Telstra (in the absence of a financial penalty) suggests that not much is going to happen.

The Australian Communications & Media Authority found Telstra breached the Telecommunications Consumer Protections Code and was more acerbic in characterising Telstra's conduct.

Last year's breach involved potential online access to the records of some 730,000 Telstra customers, including information such as customer names, phone numbers, order numbers and in a very limited number of cases dates of birth, drivers licence numbers and credit card numbers.

The Commissioner
found the privacy breach occurred because of a series of errors revealing significant weaknesses in Telstra's reporting, monitoring and accountability systems. Of particular concern is that a number of Telstra staff knew about the security issues with the database but did not raise them with management. This incident could have been easily avoided if appropriate planning was undertaken. 
No indication, alas, of whether the Commissioner has consulted with Telstra's competitors to ascertain whether their customers are likely to encounter a similar breach. Nothing substantive regarding the articulation of standards or a strong call to best practice, desirable amid indications this week that Telstra has recently engaged in problematical sharing of information. Telstra does not appear to have a strong privacy culture and there has been no resounding public commitment on the part of its executive to ensure that the cotton wool isn't pulled over senior management eyes in future.

ACMA's acting Chair commented
We are most concerned about the length of time–more than eight months–during which a significant number of Telstra customers’ personal information was publicly available and accessible
ACMA's report [PDF] is less positive than that from the Privacy Commissioner.

It states that -
the chain of events suggests that the Legal and Privacy departments relied on incorrect information provided to them on more than one occasion, and Telstra has provided no evidence to suggest that it prepared a report on this issue or escalated the matter internally once it became aware this had occurred. ...
Telstra has not provided any information on its processes to escalate and action identified privacy risks. Given the absence of this information and the number of times that it was identified and reported that the Visibility Tool could be externally accessed (twice in March 2011, once in July 2011 and once in November 2011), the ACMA does not accept Telstra’s assertion that the incident was caused by a failure of a small number of people to follow its processes and safeguards rather than a failure of its processes and safeguards themselves.
That is at at odds with Telstra's low-key statement that -
As we did at the time, we sincerely apologise to any of our customers impacted. 
An incident like this is unacceptable. We take our privacy obligations very seriously and invest considerable time and resources in ensuring the privacy of our customers’ personal information. 
We conducted a full investigation into why this incident happened, in conjunction with the OAIC and the ACMA. We identified a number of areas where our technology, processes and training have to be improved. We have taken actions to improve all of these areas and will continue to do so.
The Privacy Commissioner indicates that "Telstra has committed to a remediation project to introduce significant measures to protect the security of the personal information it holds and prevent unauthorised access and disclosure in the future".

Telstra has been asked to provide a report  by October 2012 on the progress of its remediation project and a final report by April 2013.