Telstra Corporation, it appears, has to work further in beefing up its privacy protocols as regulators said on Friday that the giant telco breached Australia's Privacy Act when it inadvertently exposed last year thousands of customers' personal information.
A ruling released today by the Privacy Commission found the company in violation of two National Privacy Principles, which occurred December last year and endangered personal data of the company's 734,000 customers.
The privacy breach, according to commissioner Timothy Pilgrim, nearly compromised the personal data of as many as 806,000 Telstra subscribers and within the numbers, usernames and passwords of 41,000 customers were briefly accessible via the internet because of the preventable glitch.
Mr Pilgrim said Telstra was particularly meticulous in ensuring that Aussies entrusting their privacy to the telco will be protected.
"The failure by Telstra to correctly categorise the database project in its design phase as one involving customer data meant that the database did not receive the appropriate level of protection from the very beginning," Mr Pilgrim was reported by Business Spectator as saying in the decision.
He added that "the privacy breach occurred because of a series of errors revealing significant weaknesses in Telstra's reporting, monitoring and accountability systems."
That operational loophole forced Telstra to temporarily shutdown if BigPond email system, which locked out millions from accessing their accounts until the company had successfully reset the security protocols of its network.
Telstra also received today sharp rebukes from the Australian Communications & Media Authority (ACMA), which pointed out that the company should have acted quick enough when the breach was first reported.
"We are most concerned about the length of time - more than eight months - during which a significant number of Telstra customers' personal information was publicly available and accessible," ACMA interim chair Richard Bean said.
But both agencies held back punishment for the firm, with Mr Pilgrim noting in his decision that "Telstra acted immediately to restrict access to personal information, commenced an investigation into the incident and implemented a number of security and policy measures."
To him, the commissioner added, "these actions could be seen as reasonable steps to protect the personal information held by Telstra from unauthorised access."
The commission also acknowledged the fact that in the immediate aftermath of the incidents, the telco has implemented necessary revisions on its Privacy Compliance Program, submitted its staff to proper training and allowed more involvement of the he Chief Privacy Officer.
ACMA, however, warned Telstra that another privacy breach in future could see the company facing possible lawsuits, as spearheaded by the regulator.
And that could come soon enough Telstra found itself again dealing with privacy issues this week.
According to The Sydney Morning Herald, Telstra's monitoring of its subscribers' internet habits has been detected and the company has acknowledged and vowed that "such an incident doesn't happen again."
To contact the editor, e-mail: