australian telco fined for privacy breach - telstra final investigation report

7/27/2019 Australian Telco Fined For Privacy Breach - Telstra Final Investigation Report

1/7

Investigation Report: Compliance with theTelecommunications Consumer Protections Code C628:2012by Telstra Corporation Ltd

File No. ACMA2013/1477

Carriage Service Provider Telstra Corporation Ltd

ABN 33 051 775 556Type of Service or Product Landline, broadband internet and mobile services

Scope Clause 4.6.3, Telecommunications Consumer Protections

Code C628:2012

Findings

The Australian Communications and Media Authority (ACMA) has found that Telstra

Corporation Ltd (ABN 33 051 775 556) (Telstra) contravened clause 4.6.3 of the

Telecommunications Consumer Protections Code C628:2012(TCP Code) from 1 September

2012 to 15 May 2013, by failing to protect from unauthorised use or disclosure the personalinformation of 15,775 customers which was able to be accessed online. The ACMA has found

that this conduct also contravened the direction given to Telstra by the ACMA on 3

September 2012 under subsection 121(1) of the Telecommunications Act 1997(the Act).

Background

1. This report presents the findings of an investigation conducted by the ACMA into Telstras

compliance with clause 4.6.3 of the TCP Code, and consequently with the direction given

to Telstra by the ACMA on 3 September 2012 to comply with clause 4.6.3 of the TCP

Code.

2. The current TCP Code has been registered under Part 6 of the Act since 1 September

2012. It contains rules about how carriage service providers (CSPs) deal with their

residential and small business customers. The rules apply to a range of CSP business

practices, including the protection of personal information.

3. Telstra is one of the main providers of telecommunications services in Australia. Telstra is

a carrier and a CSP within the meaning of the Act and a Supplier for the purposes of the

TCP Code. Telstra is therefore required to comply with the provisions of the TCP Code.

4. On 3 September 2012, a direction was given to Telstra to comply with clause 4.6.3 of the

TCP Code following an ACMA investigation into an incident identified in December 2011


2/7

ACMA Investigation Report Telstra Corporation Ltd Compliance with TelecommunicationsConsumer Protections Code 2

(the December 2011 incident).The December 2011 incident involved the names and in

some cases the addresses of approximately 734,000 Telstra customers, and the

usernames and passwords of up to 41,000 of those customers, being found to be publicly

available and accessible on the internet during the period from 29 March 2011 to 9

December 2011.

Relevant facts

5. In May 2013, Telstra contacted the ACMA to advise that it had learnt, via a journalist, that

the names, phone numbers and addresses of around 15,775 Telstra customers had been

available on the internet (the May 2013 incident).

6. Telstra subsequently confirmed that the information had been available from June 2012 to

May 2013 and related to customer information from between 2006 and 2009. The records

included the information of 1,257 active silent line customers. Of these, 950 related to

Telstra retail customers, while 307 related to end users of Telstras wholesale customers.

Telstra also advised that there were at least 166 unique downloads of these records.

7. Telstra met with the ACMA to discuss the May 2013 incident on 15 October 2013 and

provided the ACMA the Data Incident ReportMay 2013(the data incidentreport) the

following day. The report outlined the reasons for the incident and the steps Telstra was

taking to prevent such an incident from happening again.

8. Having considered the information provided, on 18 October 2013 the ACMA commenced

an investigation into Telstra under paragraph 510(1)(c) of the Act.

9. Clause 4.6.3 of the TCP Code states that:

Personal information:A Supplier must ensure that a Customers or former Customers

Personal Information is protected from unauthorised use or disclosure and dealt with bythe Supplier in compliance with all applicable privacy laws.

A Supplier must take the following actions to enable this outcome:

(a) Storage:have robust procedures for storing its Customers Personal Information in

its possession which are followed by its staff;

(b) Security:have robust procedures to keep its Customers Personal Information in its

possession secure and restrict access to personnel who are authorised by the Supplier;

and

(c) Breach:ensure its staff understand that they may face disciplinary action if they

breach the Suppliers privacy procedures, the Privacy Act or other privacy laws.

10. As explained in the introductory statement to the TCP Code, code rules are generally

organised in two parts: a higher level outcome followed by someactions required to

enable that outcome (emphasis added). Accordingly, it is possible for a supplier to

contravene the higher level outcome part of a rule without having separately

contravened the actions part.

11. The TCP Code adopts the definition of personal information under section 6 of the

Privacy Act 1988(Privacy Act), which defines personal information to include:

information about an individual whose identity is apparent, or can reasonably be

ascertained, from the information or opinion. In the ACMAs view, the customer


3/7


information disclosed in the May 2013 incident is personal information within the

meaning of the Privacy Act and of Customer Personal Information within the meaning of

the TCP Code.

12. On 6 November 2013, the ACMA provided Telstra with the preliminary findings of thisinvestigation. Telstra provided a response to those findings on 25 November 2013. On 14

January 2014, Telstra met with the ACMA to give further context about the challenges

involved in testing access controls on an ongoing basis. Telstras further submissions

have been considered prior to the ACMA forming a final view, and have been referred to

in this report where relevant.

Findings and Reasons

Compliance with the TCP Code

13. The ACMA has considered Telstras compliance with clause 4.6.3 of the TCP Code

having regard to:

Telstras letter to the Australian Privacy Commissioner dated 23 May 2013,

which provided the OAIC with formal notification of the May 2013 incident;

Telstras letter to the ACMA dated 26 August 2013, which provided the ACMA

with an update on Telstras investigation into the May 2013 incident;

Information provided by Telstra at the 15 October 2013 meeting;

The data incident report dated 16 August 2013;

The submission provided by Telstra on 25 November 2013 in response to the

ACMAs Preliminary Investigation Report; and

Information provided by Telstra at the 14 January 2014 meeting and

confirmed by email on 20 January 2014.

Cause of the May 2013 incident

14. Telstra has stated that the May 2013 incident was caused by the deployment of a

software solution on 24 February 2012 by an external provider. The software solution was

intended to increase the character limit of an Internet Protocol (IP) white list access

control, to enable more authorised users to access certain internal documents (a

customer churn database). While this aim was achieved, the solution also inadvertently

resulted in a small proportion of files ceasing to be protected by the white list access

controls. This led to a small proportion of spreadsheets containing customer data being

indexed by Google on 23 June 2012, which were then able to be found online using a

specific Google search.

15. Telstra states that at the time the software solution was deployed, it assumed that the

external provider would continue to deliver a secure solution, and had no reason to

believe that existing protections against unauthorised access would not continue to apply.

Telstras investigation into the incident suggested that Telstra did not undertake a detailed

review of the software solution deployed on 24 February 2012. While Telstra has stated


4/7


that it thinks it is unlikely that additional testing would have identified the design flaw1, in

the data incident report it nevertheless acknowledges that additional review and testing

should have been undertaken prior to the acceptance and deployment of the software

solution.

Relationship to the December 2011 incident

16. In its letter to the ACMA dated 26 August 2013, Telstra notes that while the May 2013

incident involved the same technology platform as the December 2011 incident, the

circumstances and cause of each incident were very different. In its response to the

ACMAs Preliminary Investigation Report, Telstra states that while the December 2011

incident was partly caused by internal administrative failings, the May 2013 incident

resulted from a software solution entirely controlled by an external provider. Telstra states

that in respect of the May 2013 incident it necessarily relied on the external provider to

establish and maintain appropriate security controls.

17. The ACMA notes that the access control failures which ultimately led to the May 2013

incident occurred in the period immediately after the December 2011 incident. Telstra has

advised that during this period, it was in the process of transitioning management of the

external providers platform to its IT area. While the data incident report notes that there

were interim processes in place (including a special mailbox that was to be used to

ensure software changes were reviewed by a security team), these processes were not

followed when the software solution was deployed. While it appears that a Telstra

employee tested the solution to ensure that authorised users were able to access the

relevant documents, no test was undertaken to determine whether the documents could

also be accessed by unauthorised users.

18. Telstra has acknowledged that there should have been more awareness about the need

to closely monitor changes to access controls, particularly since the February 2012

software upgrade occurred so soon after the identification of the December 2011 incident.

Compliance with clause 4.6.3 of the TCP Code

19. As customer information was able to be accessed online as described above, the ACMA

has found that Telstra failed to ensure that customers and former customers personal

information was protected from unauthorised use or disclosure and dealt with in

accordance with all applicable privacy laws.

20. The current TCP Code came into operation on 1 September 2012. The ACMA has

therefore found that Telstra breached the headline clause of 4.6.3 of the TCP Code in

respect of the May 2013 incident from 1 September 2012 to 15 May 2013, by failing to

protect customer information during this period.

21. In its response to the Preliminary Investigation Report, Telstra argues that clause 4.6.3 of

the TCP Code is satisfied if a provider takes the steps set out in subclauses (a), (b) and

(c). It submits that the ACMA cannot assess breaches of the headline clause and the

subclauses of the provision separately. As foreshadowed in paragraph 10 above, the

1Due to the difficulties of testing this type of software solution, and the large number of URLs that would have neededto be tested approximately 56,000


5/7


ACMA does not accept this interpretation. The headline or outcome clause creates a

distinct obligation and a provider can be found to be in contravention of that outcome

obligation even if it has not separately contravened an actions obligation. The ACMA has

assessed Telstras compliance with clause 4.6.3 accordingly.

22. The ACMA also notes Telstras submission that compliance with clause 4.6.3 of the TCP

Code should be assessed with reference to the requirement to take reasonable steps to

protect personal information set out in the National Privacy Principles.2While noting that

clause 4.6.3 of the TCP Code refers to compliance with applicable privacy laws, the

ACMA considers that this reference is additional to the requirement to protect customer

information from unauthorised use or disclosure and does not operate to import the

concept of reasonable steps from the Privacy Act with respect to the other requirements

set out in that clause3.

23. Telstra has submitted that it did take reasonable steps to protect customer information

and it is not reasonable to expect it to conduct ongoing testing of software solutions in

circumstances where testing is unlikely, for technical reasons, to reveal vulnerabilities.4

Telstra has advised that 6 out of over 56,000 different URL pathways were not protected

by access controls, and they were only accessible through a specific and targeted URL

search. The ACMA notes that clause 4.6.3(b) of the TCP Code requires a supplier to

have robust procedures to keep its customer information secure and restrict access to

authorised personnel. At the meeting on the 14th of January, Telstra advised that it had

procedures in place to search for Telstra data which may have been disclosed or

inadvertently made publically accessible. However, the ACMA notes that the incident was

discovered by a journalists source, not by Telstra, and that the customer information in

question was accessible for at least 11 months. The ACMA also notes that there were at

least 166 unique downloads of these records, indicating the records may have beenaccessed by multiple people. The ACMA therefore considers it reasonable to conclude

that the information could also have been found by Telstra, if it had robust procedures in

place to protect customer information.

24. The ACMA is of the view that while every effort should be made to prevent unauthorised

disclosure of customer information, providers should also have processes in place to

address any problems that may not have been picked up initially, to ensure customer

information is protected.

25. Telstra also submitted in its correspondence of 25 November that the May 2013 incident

concerned a solution which was entirely controlled by the external provider, and that it

relied on that provider to establish and maintain appropriate security controls. However,any reliance on the external provider has no bearing on whether Telstra breached clause

4.6.3. The TCP Code establishes an outcome which Telstra itself must deliver when

dealing with customers, irrespective of any outsourcing arrangements it makes.

Alternatively expressed, Telstra may (and no doubt often does) outsource various

2NPP 4, Schedule 3, Privacy Act 1988

3The headline clause of 4.6.3 provides that a supplier must ensure that a customers or former

customers personal information is protected from unauthorised use or disclosure and dealt with by

the Supplier in compliance with all applicable privacy laws.4Telstra submits that ongoing testing on an open ended basis could potentially reveal no security

weaknesses at all, even if these did exist.


6/7


services but it cannot outsource its regulatory obligations when expressed in the form that

clause 4.6.3 represents.

26. In any event, Telstras August data incident report sensibly acknowledges that a more

detailed review should have taken place to minimise the risk of a security issue,particularly as the solution was deployed shortly following the discovery of the December

2011 incident.

27. From the evidence provided, the ACMA considers that Telstra did not have robust

procedures in place from 1 September 2012 to 15 May 2013 to ensure, on an ongoing

basis, that access controls remained secure, and that unauthorised users could not

access customer databases. This resulted in Telstra failing to address the data breach

and customer information remaining available online during the specified period. While

the ACMA acknowledges that having robust procedures in place may not guarantee the

prevention of a security breach in every instance, it is Telstras responsibility to implement

procedures to ensure that the personal information of its customers is kept secure.

28. Accordingly, the ACMA has found that Telstra has contravened clause 4.6.3 of the TCP

Code from 1 September 2012 to 15 May 2013, by failing to ensure that customers and

former customers personal information was protected from unauthorised use or

disclosure and by failing to have robust procedures in place to keep customers personal

information in its possession secure and restrict access to authorised personnel.

Compliance with the 3 September 2012 Direction

29. In its response to the Preliminary Investigation Report, Telstra submits that it did not

breach the direction given to it by the ACMA on 3 September 2012 to comply with clause

4.6.3 of the Code. It argues that even if it were to accept that there was a failure to

adequately test the access controls on the platform supplied by the external provider, thefailure occurred when the software solution was deployed in February 2012, 6 months

before the direction was issued.

30. The ACMA accepts that the underlying cause of the May 2013 incident occurred before

the direction was given. However, from the time that the direction was given on 3

September, customer information remained available on the internet for over eight

months. Telstra therefore did not protect this customer information from unauthorised use

or disclosure during this period. As discussed in paragraphs 23 to 28, there do not appear

to have been robust procedures in place to protect customer information. Given the

nature of the December 2011 incident, and the fact that Telstra had been issued a

direction to comply with clause 4.6.3 of the Code on 3 September 2012, the ACMAconsiders it reasonable to expect that Telstra would implement procedures not only to

prevent privacy breaches, but also to address any breaches that may not have been

caught initially.

31. The ACMA has found that the failure to comply with clause 4.6.3 was the result of

deficient processes and procedures. As noted in paragraph 27, it is apparent that a robust

process to keep customers personal information in its possession secure and restrict

access to authorised personnel did not exist during the period from 1 September 2012 to

15 May 2013. This is despite Telstra undertaking to implement improved security and

data control procedures following the December 2011 incident.


7/7


32. For the reasons outlined above, the ACMA has found that Telstra breached the direction

from 3 September 2012 until 15 May 2013 by failing to ensure customer information was

protected from unauthorised disclosure and by failing to have robust procedures in place

to keep customers personal information secure.

Telstras response to the May 2013 incident

33. The information provided by Telstra indicates that as soon as it became aware of the data

breach, it took steps to disable all public access links to the source and to have Google

caches cleared to ensure that the data could not be accessed via a Google search.

External access was removed before the incident was publicised in the media.

34. Telstra then took steps to contact all affected customers, and offer remediation as

appropriate. It also implemented strategies to ensure affected customers of wholesale

partners were contacted.

35. Telstra has advised in its letter of 26 August 2013 that as a result of the May 2013

incident, it is developing a new internal policy and procedure to ensure adequate review

of software solutions.

36. Telstra states that it has implemented a number of measures to prevent future data

breaches where possible, and to enable it to identify them where they do occur. These

measures include:

exiting the platform supplied by the external provider in December 2013;

introducing more stringent information security controls around the procurement and

management of software solutions;

establishing a Security Exploration Team to proactively search for any Telstra

customer data that may be accessible online;

implementing a Data Loss Prevention program to improve security of customer data;

reviewing the management of third party providers to ensure they are aware of

privacy and security requirements; and

developing and initiating a campaign to improve staff awareness of information

security and privacy issues.

37. The ACMA considers that if effectively implemented, the above initiatives should improve

Telstras ongoing compliance with clause 4.6.3 of the TCP Code.

australian telco fined for privacy breach - telstra final investigation report

Documents