20 May 2013

Yeah, Yeah, Yeah

Normal administrative practice in Australian data breach territory, with the federal privacy commissioner launching an investigation into yet another Telstra data breach. Last week the mass media revealed that data about Telstra customers - thousands of customer names, telephone numbers and home and business addresses - had gone AWOL. The data showed up in a Google search as Excel spreadsheets.

The Privacy Commissioner has indicated that Telstra had briefed him about the incident - it's unclear whether that briefing was more detailed than featured in the pages of the Sydney Morning Herald - and informed him that the customer data was no longer online.

In the absence of  meaningful data breach legislation (the subject of a bungled consultation noted here) it is unclear whether Telstra will face anything more than public shaming - which it shrugs off - and a slap with a lettuce leaf from the Privacy Commissioner.

The Commissioner indicates that
Telstra is currently investigating the incident and have started to contact affected customers.  I have asked that Telstra provide me with further information on the incident, including how it occurred, what information was compromised and what steps they have taken to prevent a reoccurrence.
We might wonder about the effectiveness of those steps, given Telstra's history of data breaches (eg here) and the Commissioner's endorsement of past responses. Telstra executives have recurrently placed their hands on their hearts (presumably averting their eyes from the cash registers) and sworn that breaches "must not happen again" or stated that -
An incident like this is unacceptable. We take our privacy obligations very seriously and invest considerable time and resources in ensuring the privacy of our customers’ personal information.
Someone clearly isn't listening.

This month a Telstra spokesperson stated that
Like any customer of any company I have the expectation that my personal details are securely stored and not publicly accessible.
No doubt you all have the same expectations.
So when we learnt some of our customers’ details were publicly available we immediately convened a team to have access to the data removed and commence an investigation.
It is not acceptable, under any circumstances, for this to happen.
Telstra takes seriously the confidentiality of all its customers’ data – our customers trust us and we recognise the responsibility this trust means to get this right.
We have to do everything possible not to breach that trust.
We are still investigating what happened and the team worked round the clock last night looking through the data and trying to pinpoint how this actually happened.
While some of the information is generally available, such as names, addresses and telephone numbers and up to six years old, we are acutely aware of the possibility that some of the information may be sensitive to some.
We will take all steps to identify these customers and work with them on an individual basis. Additionally we will be contacting all customers whose information was inadvertently made available.
We take our customers’ privacy seriously; we have sophisticated tools and techniques and skilled people working on risks and privacy-related projects protecting the security of our customers’ information.
What has happened is unacceptable, I apologise and assure everybody that we’ll find out exactly what has happened here and do everything we can to make sure this does not happen again.
The Commissioner indicates that his investigation is a reminder to businesses about the importance of "ensuring appropriate levels of security are in place to protect the personal information they hold". The message, alas, is likely to be read as "yeah, yeah, yeah".

We might look instead at ACMA's criticism of Telstra - highlighted here - and even hope that there will be action under the telco regulation regime or that the Government will proceed with meaningful data breach legislation rather than a statute enshrining flagellation with a lettuce leaf.