Telstra Fined Millions for Security Breach

Telstra Fined Millions for Security Breach
A Telstra logo is seen as pedestrian walk outside the Telstra Melbourne headquarters in Melbourne, Australia on June 14, 2017 (Michael Dodge/Getty Images)

Telstra has been fined $2.53 million (US$1.8 million), the largest fine ever issued by the Australian Communications and Media Authority after the company breached privacy rules made to protect consumer privacy and safety.

ACMA’s investigation found Australia’s largest telecommunication company failed to correctly upload a customer’s choice of number as unlisted in almost 50,000 instances to the Integrated Public Number Database (IPND). This means these numbers could be published in public phone directories or be available through directory services.

The ACMA also found that Telstra failed to provide data to, or failed to update, the IPND for its Belong customers on over 65,000 occasions. Belong is a smaller telecommunications company owned by Telstra and uses the Telstra wholesale mobile network, which covers 98.8 percent compared to Telstra’s 99.5 percent.

The IPND comprises Australian phone numbers and their owner’s details and provides a vital resource to support Australia’s emergency services, law enforcement and national security agencies. Triple Zero also uses the IPND to help locate people in an emergency, for the Emergency Alert Service to warn of emergencies like flood or bushfire, and to assist law enforcement activities.

ACMA Chair Nerida O'Loughlin said that by failing to provide the required information to the IPND, Telstra might possibly put people’s safety at risk.

“When people request a silent number, it is often for very important privacy and safety reasons, and we know that the publication of their details can have serious consequences,” O'Loughlin said.

“The provision of these critical services can be hampered, and lives put in danger if data is missing, wrong or out of date. It is alarming that Telstra could get this so wrong on such a large scale,” O'Loughlin said.

The ACMA’s action follows findings in 2019 that Telstra had also breached the same obligations.

All telcos are required to upload customer information into the IPND for each service they offer. This includes the telephone number, the customer’s name, address, and whether the customer wants their number to be listed or unlisted. Tagging a number as listed or unlisted determines whether a customer’s details are available in public phone directories and directory assistance services.

Telstra currently provides service to 18.8 million mobile services a year. This is followed by Telstra’s most significant competitor and Singapore-owned telco, Optus Australia. Optus had 10.5 million mobile subscriptions in 2019 and provides mobile service to 98.5 percent of Australia.

Vodafone, a British-owned telco, follows Optus with 5.25 million mobile customers in 2020 and a network coverage of 96%. The aftermaths of this breach may result in Telstra customers leaving the telco to Optus and Vodafone or smaller online telco companies.

Optus, owned by Singtel, has had a longstanding connection with the Chinese-owned company Huawei. Both Optus and Vodafone employed Huawei modems in their 4G networks, with the former staying to use ZTE and Huawei modems after Australia banned the two companies from joining the 5G network.