132,000 Customers Hit by Privacy Breach at Telstra

Internal mistakes rather than hackers have been blamed for the latest data protection failure to hurt phone users in Australia. Telstra is obliged to provide a web directory of phone numbers and a directory enquiry service, but they admitted on Friday that both had wrongly supplied the details of customers who should have remained unlisted. Australia’s largest telco apologized for the mistake via a corporate blog and explained that they…

…recently discovered an error which resulted in some customers’ names, numbers and addresses being listed when they should not have been. This was a result of a misalignment of databases – no cyber activity was involved.

The blog was issued in the name of Telstra CFO Michael Ackland (pictured), indicating that top management were not afraid to take responsibility. Based on how other telcos have behaved, it would have been easy for Telstra’s leaders to distance themselves by talking about system glitches. There was little information about why the breach occurred but Telstra did emphasize what they were doing to rectify things, which includes support for affected customers via IDCARE, a charity that mitigates the impact of privacy breaches suffered by Australians and New Zealanders.

As soon as we became aware, we started work to remove the identified impacted customers from the Directory Assistance service and the online version of the White Pages.

We’re in the process of contacting every affected customer to let them know, and to offer free support through IDCARE.

The Australian press had little additional insight to offer, beyond the clarification that 132,000 Telstra customers were said to have been affected.

One small crumb of comfort is that some telcos are finally beginning to understand that being transparent about their flaws is a better approach than routinely denying mistakes and playing down the consequences of breaches for customers. It was telling that Telstra commented:

Our customer service has come a long way in recent years, including in truth-telling about our mistakes – it is part of what drives us to make change.

There have been calls for the resignation of Kelly Bayer Rosmarin, CEO of Optus, the second largest Australian telco, following a breach which compromised identity details for almost 10 million Australians. Telcos have done a lousy job of learning from past data breaches, even though they collectively are responsible for maintaining and safeguarding important information about an overwhelming majority of people. Mistakes do happen and they will happen again. Trying to deflect blame just increases public cynicism, as evident from the response to Rosmarin’s clumsy handling of the Optus breach.

The big takeaway from this relatively minor breach by Telstra is that some telco executives are now changing tack, and confessing to errors in order to get ahead of the inevitable wave of criticism. This is the only effective way to maintain a degree of trust as the public becomes conscious of the true risk and likelihood of privacy breaches.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.