16 March 2014

2013 Telstra Data Breach

The Australian Communications and Media Authority (ACMA) has imposed a $10,200 penalty on Telstra over the data breach noted last year. The Office of the Australian Information Commissioner has issued a complementary report.

The OAIC report is a major advance on its belated response to the preceding Telstra data breach, where its somewhat thin report appeared almost six months after the more detailed report from ACMA.

The OAIC had published two public reports on previous investigations into Telstra, regarding the personal information (including names, addresses, usernames and passwords) of approximately 734,000 customers being made publicly available online in December 2011 and mailout of approximately 220,000 letters with incorrect addresses in October 2010.

ACMA's latest report found that Telstra contravened the Telecommunications Consumer Protections Code (TCP), which requires telcos to ensure that the personal information of customers is protected from unauthorised use or disclosure and that telcos have 'robust procedures'.

ACMA noted that Telstra had failed to comply with directions over a previous code breach. On 3 September 2012 ACMA had directed Telstra to comply with clause 4.6.3 of the TCP Code, following an ACMA investigation into the December 2011 incident.

If you want a metric for the formal value of privacy match the amount of the $10,200 infringement notice - the maximum penalty - to the 15,775 customers (inc 1,257 customers with silent line numbers) whose details were available for 15 months during 2012 and 2013. There were reportedly at least 166 unique downloads of the details.

The ACMA report notes that -
Telstra has stated that the May 2013 incident was caused by the deployment of a software solution on 24 February 2012 by an external provider. The software solution was intended to increase the character limit of an Internet Protocol (IP) white list access control, to enable more authorised users to access certain internal documents (a customer churn database). While this aim was achieved, the solution also inadvertently resulted in a small proportion of files ceasing to be protected by the white list access controls. This led to a small proportion of spreadsheets containing customer data being indexed by Google on 23 June 2012, which were then able to be found online using a specific Google search.
Telstra states that at the time the software solution was deployed, it assumed that the external provider would continue to deliver a secure solution, and had no reason to believe that existing protections against unauthorised access would not continue to apply. Telstra’s investigation into the incident suggested that Telstra did not undertake a detailed review of the software solution deployed on 24 February 2012. While Telstra has stated that it thinks it is unlikely that additional testing would have identified the design flaw, in the data incident report it nevertheless acknowledges that additional review and testing should have been undertaken prior to the acceptance and deployment of the software solution.
ACMA indicates that it -
welcomes Telstra's agreement to the Privacy Commissioner's recommendations. Telco providers are in a position of trust with respect to their customers' details and with it comes a weighty responsibility - a fact reflected in the outcomes mandated by the TCP Code.
The OAIC report and ACMA report notes that the breach involved customer data from 2009 and earlier.

The OAIC investigation centred on whether Telstra took 'reasonable steps' (a key element of the OAIC's new Australian Privacy Principles guidelines)  to protect customer information from misuse, loss, unauthorised access, modification or disclosure.

It found that Telstra failed to take reasonable steps to ensure the security of the data, commenting that  the breached data
was accessible by way of a Google search that took them to some source material, which was some spreadsheets containing the personal information of these customers.
The OAIC concluded
  • failed to take reasonable steps to ensure the security of the personal information that it held, in contravention of NPP 4.1
  • failed to take reasonable steps to destroy or permanently de-identify the personal information it held in contravention of NPP 4.2, and
  • disclosed personal information other than for a permitted purpose, in contravention of NPP 2.1.
Telstra indicates that it has now fixed the problem and agreed to actions such as
  • "exiting the software platform" on which the breach occurred
  • establishing a clear policy for central software management, 
  • reviewing contracts with third parties relating to personal information handling.
  • engaging an independent third party auditor by 12 March 2014 to certify that Telstra has implemented the planned rectification. (That certification is to be provided to the Commissioner by 30 June 2014.)
  • introducing more stringent information security controls around the procurement and management of software solutions;
  • establishing a “Security Exploration Team” to proactively search for any Telstra customer data that may be accessible online; 
  • implementing a “Data Loss Prevention” program to improve security of customer data; 
  • reviewing the management of third party providers to ensure they are aware of privacy and security requirements; and 
  • developing and initiating a campaign to improve staff awareness of information security and privacy issues.
Telstra appears to have foregone its usual statement of contrition and avowal that it will never ever happen again. If you visit the Telstra site there are extensive pieces on 'mindfulness in the workplace' and on skiiing, nothing readily apparent on the infringement notice.