Telstra Employee Data Posted to Internet Forum

Telstra, the market-leading telco in Australia, announced this week that there had been a breach of data relating to 30,000 current and former employees. Per Reuters’ report:

The data that was taken was “very basic in nature”, limited to names and email addresses, a company spokesperson said in a statement.

“We believe it’s been made available now in an attempt to profit from the Optus breach,” the spokesperson also said without elaborating.

The information that Telstra has disclosed about the breach is minimal but they emphasized that no customer data had been compromised. This makes it unlike the recent breach at second-place rivals Optus, which involved personal data for well over a third of Australia’s population. The number of customer accounts served by Telstra is approximately equal to three-quarters of Australia’s population.

The breached data had been uploaded to an internet forum. Telstra said they had not been hacked, but the compromise occurred within a third party that managed a rewards program for Telstra staff. The rewards program ended in 2017, meaning the hackers would not have any data relating to staff who subsequently joined Telstra.

Lazy analogies will be drawn between the Optus and Telstra breaches but it is important to understand why exposing employee data to criminals can ultimately be more dangerous. Nobody wants customers to be hurt because their identities were taken over or their online accounts were raided, but the compromise of staff data can be the starting point for subversion of corporate systems. That is why comms providers need to be even more careful when defending data relating to their staff, despite the blasé attitudes expressed by some telcos.

We can only speculate why Telstra indicated a possible link to the breach suffered by Optus. Perhaps the point is that the hackers were taking advantage of the publicity caused by Optus’ breach to generate rejuvenated interest in the data they had obtained. Or perhaps the hackers alluded to the risk of Telstra employees being enrolled for an even larger breach than that which occurred at Optus.

Feelings are running high in Australia, and government ministers have repeatedly lambasted Optus in public. Australians are not known for their tolerance to organizations that underperform; many Australians still refer to the third-largest mobile operator as Vodafail because of its history of network problems. However, some good may come from the public’s anger at privacy breaches if it forces a fundamental change in how telco executives think about the need to protect data.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.