australian telco fined for privacy breach - telstra final investigation report
TRANSCRIPT
-
7/27/2019 Australian Telco Fined For Privacy Breach - Telstra Final Investigation Report
1/7
Investigation Report: Compliance with theTelecommunications Consumer Protections Code C628:2012by Telstra Corporation Ltd
File No. ACMA2013/1477
Carriage Service Provider Telstra Corporation Ltd
ABN 33 051 775 556Type of Service or Product Landline, broadband internet and mobile services
Scope Clause 4.6.3, Telecommunications Consumer Protections
Code C628:2012
Findings
The Australian Communications and Media Authority (ACMA) has found that Telstra
Corporation Ltd (ABN 33 051 775 556) (Telstra) contravened clause 4.6.3 of the
Telecommunications Consumer Protections Code C628:2012(TCP Code) from 1 September
2012 to 15 May 2013, by failing to protect from unauthorised use or disclosure the personalinformation of 15,775 customers which was able to be accessed online. The ACMA has found
that this conduct also contravened the direction given to Telstra by the ACMA on 3
September 2012 under subsection 121(1) of the Telecommunications Act 1997(the Act).
Background
1. This report presents the findings of an investigation conducted by the ACMA into Telstras
compliance with clause 4.6.3 of the TCP Code, and consequently with the direction given
to Telstra by the ACMA on 3 September 2012 to comply with clause 4.6.3 of the TCP
Code.
2. The current TCP Code has been registered under Part 6 of the Act since 1 September
2012. It contains rules about how carriage service providers (CSPs) deal with their
residential and small business customers. The rules apply to a range of CSP business
practices, including the protection of personal information.
3. Telstra is one of the main providers of telecommunications services in Australia. Telstra is
a carrier and a CSP within the meaning of the Act and a Supplier for the purposes of the
TCP Code. Telstra is therefore required to comply with the provisions of the TCP Code.
4. On 3 September 2012, a direction was given to Telstra to comply with clause 4.6.3 of the
TCP Code following an ACMA investigation into an incident identified in December 2011
-
7/27/2019 Australian Telco Fined For Privacy Breach - Telstra Final Investigation Report
2/7
ACMA Investigation Report Telstra Corporation Ltd Compliance with TelecommunicationsConsumer Protections Code 2
(the December 2011 incident).The December 2011 incident involved the names and in
some cases the addresses of approximately 734,000 Telstra customers, and the
usernames and passwords of up to 41,000 of those customers, being found to be publicly
available and accessible on the internet during the period from 29 March 2011 to 9
December 2011.
Relevant facts
5. In May 2013, Telstra contacted the ACMA to advise that it had learnt, via a journalist, that
the names, phone numbers and addresses of around 15,775 Telstra customers had been
available on the internet (the May 2013 incident).
6. Telstra subsequently confirmed that the information had been available from June 2012 to
May 2013 and related to customer information from between 2006 and 2009. The records
included the information of 1,257 active silent line customers. Of these, 950 related to
Telstra retail customers, while 307 related to end users of Telstras wholesale customers.
Telstra also advised that there were at least 166 unique downloads of these records.
7. Telstra met with the ACMA to discuss the May 2013 incident on 15 October 2013 and
provided the ACMA the Data Incident ReportMay 2013(the data incidentreport) the
following day. The report outlined the reasons for the incident and the steps Telstra was
taking to prevent such an incident from happening again.
8. Having considered the information provided, on 18 October 2013 the ACMA commenced
an investigation into Telstra under paragraph 510(1)(c) of the Act.
9. Clause 4.6.3 of the TCP Code states that:
Personal information:A Supplier must ensure that a Customers or former Customers
Personal Information is protected from unauthorised use or disclosure and dealt with bythe Supplier in compliance with all applicable privacy laws.
A Supplier must take the following actions to enable this outcome:
(a) Storage:have robust procedures for storing its Customers Personal Information in
its possession which are followed by its staff;
(b) Security:have robust procedures to keep its Customers Personal Information in its
possession secure and restrict access to personnel who are authorised by the Supplier;
and
(c) Breach:ensure its staff understand that they may face disciplinary action if they
breach the Suppliers privacy procedures, the Privacy Act or other privacy laws.
10. As explained in the introductory statement to the TCP Code, code rules are generally
organised in two parts: a higher level outcome followed by someactions required to
enable that outcome (emphasis added). Accordingly, it is possible for a supplier to
contravene the higher level outcome part of a rule without having separately
contravened the actions part.
11. The TCP Code adopts the definition of personal information under section 6 of the
Privacy Act 1988(Privacy Act), which defines personal information to include:
information about an individual whose identity is apparent, or can reasonably be
ascertained, from the information or opinion. In the ACMAs view, the customer
-
7/27/2019 Australian Telco Fined For Privacy Breach - Telstra Final Investigation Report
3/7
ACMA Investigation Report Telstra Corporation Ltd Compliance with TelecommunicationsConsumer Protections Code 3
information disclosed in the May 2013 incident is personal information within the
meaning of the Privacy Act and of Customer Personal Information within the meaning of
the TCP Code.
12. On 6 November 2013, the ACMA provided Telstra with the preliminary findings of thisinvestigation. Telstra provided a response to those findings on 25 November 2013. On 14
January 2014, Telstra met with the ACMA to give further context about the challenges
involved in testing access controls on an ongoing basis. Telstras further submissions
have been considered prior to the ACMA forming a final view, and have been referred to
in this report where relevant.
Findings and Reasons
Compliance with the TCP Code
13. The ACMA has considered Telstras compliance with clause 4.6.3 of the TCP Code
having regard to:
Telstras letter to the Australian Privacy Commissioner dated 23 May 2013,
which provided the OAIC with formal notification of the May 2013 incident;
Telstras letter to the ACMA dated 26 August 2013, which provided the ACMA
with an update on Telstras investigation into the May 2013 incident;
Information provided by Telstra at the 15 October 2013 meeting;
The data incident report dated 16 August 2013;
The submission provided by Telstra on 25 November 2013 in response to the
ACMAs Preliminary Investigation Report; and
Information provided by Telstra at the 14 January 2014 meeting and
confirmed by email on 20 January 2014.
Cause of the May 2013 incident
14. Telstra has stated that the May 2013 incident was caused by the deployment of a
software solution on 24 February 2012 by an external provider. The software solution was
intended to increase the character limit of an Internet Protocol (IP) white list access
control, to enable more authorised users to access certain internal documents (a
customer churn database). While this aim was achieved, the solution also inadvertently
resulted in a small proportion of files ceasing to be protected by the white list access
controls. This led to a small proportion of spreadsheets containing customer data being
indexed by Google on 23 June 2012, which were then able to be found online using a
specific Google search.
15. Telstra states that at the time the software solution was deployed, it assumed that the
external provider would continue to deliver a secure solution, and had no reason to
believe that existing protections against unauthorised access would not continue to apply.
Telstras investigation into the incident suggested that Telstra did not undertake a detailed
review of the software solution deployed on 24 February 2012. While Telstra has stated
-
7/27/2019 Australian Telco Fined For Privacy Breach - Telstra Final Investigation Report
4/7
ACMA Investigation Report Telstra Corporation Ltd Compliance with TelecommunicationsConsumer Protections Code 4
that it thinks it is unlikely that additional testing would have identified the design flaw1, in
the data incident report it nevertheless acknowledges that additional review and testing
should have been undertaken prior to the acceptance and deployment of the software
solution.
Relationship to the December 2011 incident
16. In its letter to the ACMA dated 26 August 2013, Telstra notes that while the May 2013
incident involved the same technology platform as the December 2011 incident, the
circumstances and cause of each incident were very different. In its response to the
ACMAs Preliminary Investigation Report, Telstra states that while the December 2011
incident was partly caused by internal administrative failings, the May 2013 incident
resulted from a software solution entirely controlled by an external provider. Telstra states
that in respect of the May 2013 incident it necessarily relied on the external provider to
establish and maintain appropriate security controls.
17. The ACMA notes that the access control failures which ultimately led to the May 2013
incident occurred in the period immediately after the December 2011 incident. Telstra has
advised that during this period, it was in the process of transitioning management of the
external providers platform to its IT area. While the data incident report notes that there
were interim processes in place (including a special mailbox that was to be used to
ensure software changes were reviewed by a security team), these processes were not
followed when the software solution was deployed. While it appears that a Telstra
employee tested the solution to ensure that authorised users were able to access the
relevant documents, no test was undertaken to determine whether the documents could
also be accessed by unauthorised users.
18. Telstra has acknowledged that there should have been more awareness about the need
to closely monitor changes to access controls, particularly since the February 2012
software upgrade occurred so soon after the identification of the December 2011 incident.
Compliance with clause 4.6.3 of the TCP Code
19. As customer information was able to be accessed online as described above, the ACMA
has found that Telstra failed to ensure that customers and former customers personal
information was protected from unauthorised use or disclosure and dealt with in
accordance with all applicable privacy laws.
20. The current TCP Code came into operation on 1 September 2012. The ACMA has
therefore found that Telstra breached the headline clause of 4.6.3 of the TCP Code in
respect of the May 2013 incident from 1 September 2012 to 15 May 2013, by failing to
protect customer information during this period.
21. In its response to the Preliminary Investigation Report, Telstra argues that clause 4.6.3 of
the TCP Code is satisfied if a provider takes the steps set out in subclauses (a), (b) and
(c). It submits that the ACMA cannot assess breaches of the headline clause and the
subclauses of the provision separately. As foreshadowed in paragraph 10 above, the
1Due to the difficulties of testing this type of software solution, and the large number of URLs that would have neededto be tested approximately 56,000
-
7/27/2019 Australian Telco Fined For Privacy Breach - Telstra Final Investigation Report
5/7
ACMA Investigation Report Telstra Corporation Ltd Compliance with TelecommunicationsConsumer Protections Code 5
ACMA does not accept this interpretation. The headline or outcome clause creates a
distinct obligation and a provider can be found to be in contravention of that outcome
obligation even if it has not separately contravened an actions obligation. The ACMA has
assessed Telstras compliance with clause 4.6.3 accordingly.
22. The ACMA also notes Telstras submission that compliance with clause 4.6.3 of the TCP
Code should be assessed with reference to the requirement to take reasonable steps to
protect personal information set out in the National Privacy Principles.2While noting that
clause 4.6.3 of the TCP Code refers to compliance with applicable privacy laws, the
ACMA considers that this reference is additional to the requirement to protect customer
information from unauthorised use or disclosure and does not operate to import the
concept of reasonable steps from the Privacy Act with respect to the other requirements
set out in that clause3.
23. Telstra has submitted that it did take reasonable steps to protect customer information
and it is not reasonable to expect it to conduct ongoing testing of software solutions in
circumstances where testing is unlikely, for technical reasons, to reveal vulnerabilities.4
Telstra has advised that 6 out of over 56,000 different URL pathways were not protected
by access controls, and they were only accessible through a specific and targeted URL
search. The ACMA notes that clause 4.6.3(b) of the TCP Code requires a supplier to
have robust procedures to keep its customer information secure and restrict access to
authorised personnel. At the meeting on the 14th of January, Telstra advised that it had
procedures in place to search for Telstra data which may have been disclosed or
inadvertently made publically accessible. However, the ACMA notes that the incident was
discovered by a journalists source, not by Telstra, and that the customer information in
question was accessible for at least 11 months. The ACMA also notes that there were at
least 166 unique downloads of these records, indicating the records may have beenaccessed by multiple people. The ACMA therefore considers it reasonable to conclude
that the information could also have been found by Telstra, if it had robust procedures in
place to protect customer information.
24. The ACMA is of the view that while every effort should be made to prevent unauthorised
disclosure of customer information, providers should also have processes in place to
address any problems that may not have been picked up initially, to ensure customer
information is protected.
25. Telstra also submitted in its correspondence of 25 November that the May 2013 incident
concerned a solution which was entirely controlled by the external provider, and that it
relied on that provider to establish and maintain appropriate security controls. However,any reliance on the external provider has no bearing on whether Telstra breached clause
4.6.3. The TCP Code establishes an outcome which Telstra itself must deliver when
dealing with customers, irrespective of any outsourcing arrangements it makes.
Alternatively expressed, Telstra may (and no doubt often does) outsource various
2NPP 4, Schedule 3, Privacy Act 1988
3The headline clause of 4.6.3 provides that a supplier must ensure that a customers or former
customers personal information is protected from unauthorised use or disclosure and dealt with by
the Supplier in compliance with all applicable privacy laws.4Telstra submits that ongoing testing on an open ended basis could potentially reveal no security
weaknesses at all, even if these did exist.
-
7/27/2019 Australian Telco Fined For Privacy Breach - Telstra Final Investigation Report
6/7
ACMA Investigation Report Telstra Corporation Ltd Compliance with TelecommunicationsConsumer Protections Code 6
services but it cannot outsource its regulatory obligations when expressed in the form that
clause 4.6.3 represents.
26. In any event, Telstras August data incident report sensibly acknowledges that a more
detailed review should have taken place to minimise the risk of a security issue,particularly as the solution was deployed shortly following the discovery of the December
2011 incident.
27. From the evidence provided, the ACMA considers that Telstra did not have robust
procedures in place from 1 September 2012 to 15 May 2013 to ensure, on an ongoing
basis, that access controls remained secure, and that unauthorised users could not
access customer databases. This resulted in Telstra failing to address the data breach
and customer information remaining available online during the specified period. While
the ACMA acknowledges that having robust procedures in place may not guarantee the
prevention of a security breach in every instance, it is Telstras responsibility to implement
procedures to ensure that the personal information of its customers is kept secure.
28. Accordingly, the ACMA has found that Telstra has contravened clause 4.6.3 of the TCP
Code from 1 September 2012 to 15 May 2013, by failing to ensure that customers and
former customers personal information was protected from unauthorised use or
disclosure and by failing to have robust procedures in place to keep customers personal
information in its possession secure and restrict access to authorised personnel.
Compliance with the 3 September 2012 Direction
29. In its response to the Preliminary Investigation Report, Telstra submits that it did not
breach the direction given to it by the ACMA on 3 September 2012 to comply with clause
4.6.3 of the Code. It argues that even if it were to accept that there was a failure to
adequately test the access controls on the platform supplied by the external provider, thefailure occurred when the software solution was deployed in February 2012, 6 months
before the direction was issued.
30. The ACMA accepts that the underlying cause of the May 2013 incident occurred before
the direction was given. However, from the time that the direction was given on 3
September, customer information remained available on the internet for over eight
months. Telstra therefore did not protect this customer information from unauthorised use
or disclosure during this period. As discussed in paragraphs 23 to 28, there do not appear
to have been robust procedures in place to protect customer information. Given the
nature of the December 2011 incident, and the fact that Telstra had been issued a
direction to comply with clause 4.6.3 of the Code on 3 September 2012, the ACMAconsiders it reasonable to expect that Telstra would implement procedures not only to
prevent privacy breaches, but also to address any breaches that may not have been
caught initially.
31. The ACMA has found that the failure to comply with clause 4.6.3 was the result of
deficient processes and procedures. As noted in paragraph 27, it is apparent that a robust
process to keep customers personal information in its possession secure and restrict
access to authorised personnel did not exist during the period from 1 September 2012 to
15 May 2013. This is despite Telstra undertaking to implement improved security and
data control procedures following the December 2011 incident.
-
7/27/2019 Australian Telco Fined For Privacy Breach - Telstra Final Investigation Report
7/7
ACMA Investigation Report Telstra Corporation Ltd Compliance with TelecommunicationsConsumer Protections Code 7
32. For the reasons outlined above, the ACMA has found that Telstra breached the direction
from 3 September 2012 until 15 May 2013 by failing to ensure customer information was
protected from unauthorised disclosure and by failing to have robust procedures in place
to keep customers personal information secure.
Telstras response to the May 2013 incident
33. The information provided by Telstra indicates that as soon as it became aware of the data
breach, it took steps to disable all public access links to the source and to have Google
caches cleared to ensure that the data could not be accessed via a Google search.
External access was removed before the incident was publicised in the media.
34. Telstra then took steps to contact all affected customers, and offer remediation as
appropriate. It also implemented strategies to ensure affected customers of wholesale
partners were contacted.
35. Telstra has advised in its letter of 26 August 2013 that as a result of the May 2013
incident, it is developing a new internal policy and procedure to ensure adequate review
of software solutions.
36. Telstra states that it has implemented a number of measures to prevent future data
breaches where possible, and to enable it to identify them where they do occur. These
measures include:
exiting the platform supplied by the external provider in December 2013;
introducing more stringent information security controls around the procurement and
management of software solutions;
establishing a Security Exploration Team to proactively search for any Telstra
customer data that may be accessible online;
implementing a Data Loss Prevention program to improve security of customer data;
reviewing the management of third party providers to ensure they are aware of
privacy and security requirements; and
developing and initiating a campaign to improve staff awareness of information
security and privacy issues.
37. The ACMA considers that if effectively implemented, the above initiatives should improve
Telstras ongoing compliance with clause 4.6.3 of the TCP Code.