Telstra, the market-leading telco in Australia, announced this week that there had been a breach of data relating to 30,000 current and former employees. Per Reuters’ report:
The data that was taken was “very basic in nature”, limited to names and email addresses, a company spokesperson said in a statement.
“We believe it’s been made available now in an attempt to profit from the Optus breach,” the spokesperson also said without elaborating.
The information that Telstra has disclosed about the breach is minimal but they emphasized that no customer data had been compromised. This makes it unlike the recent breach at second-place rivals Optus, which involved personal data for well over a third of Australia’s population. The number of customer accounts served by Telstra is approximately equal to three-quarters of Australia’s population.
The breached data had been uploaded to an internet forum. Telstra said they had not been hacked, but the compromise occurred within a third party that managed a rewards program for Telstra staff. The rewards program ended in 2017, meaning the hackers would not have any data relating to staff who subsequently joined Telstra.
Lazy analogies will be drawn between the Optus and Telstra breaches but it is important to understand why exposing employee data to criminals can ultimately be more dangerous. Nobody wants customers to be hurt because their identities were taken over or their online accounts were raided, but the compromise of staff data can be the starting point for subversion of corporate systems. That is why comms providers need to be even more careful when defending data relating to their staff, despite the blasé attitudes expressed by some telcos.
We can only speculate why Telstra indicated a possible link to the breach suffered by Optus. Perhaps the point is that the hackers were taking advantage of the publicity caused by Optus’ breach to generate rejuvenated interest in the data they had obtained. Or perhaps the hackers alluded to the risk of Telstra employees being enrolled for an even larger breach than that which occurred at Optus.
Feelings are running high in Australia, and government ministers have repeatedly lambasted Optus in public. Australians are not known for their tolerance to organizations that underperform; many Australians still refer to the third-largest mobile operator as Vodafail because of its history of network problems. However, some good may come from the public’s anger at privacy breaches if it forces a fundamental change in how telco executives think about the need to protect data.