The Australian Communications and Media Authority (ACMA) has fined Telstra over AUD1.55 million after an investigation found it failed to perform required customer ID authentication processes, leaving thousands of Australians vulnerable to SIM-swap scams and other types of mobile fraud.
The investigation found the telco did not use the required ID authentication processes for 168,000 high-risk customer interactions, such as for SIM-swap requests and password resets, between August 2022 and April 2023. This included over 7,000 interactions for customers identified as being in vulnerable circumstances.
“While there is no direct evidence anyone suffered losses because of these breaches, customers need to be able to trust that their telcos are protecting their accounts from fraud,” said ACMA’s Samantha Yorke. “SIM-swap scams can be particularly devastating as victims can lose life savings as well as control of their phone number and other personal information.”
Yorke said the customer ID authentication rules introduced in 2022 had been very effective in reducing SIM-swap fraud. The rules require telcos to use multi-factor ID authentication, such as verification of one-time codes sent to consumers, before allowing transactions that may compromise a person’s account. “When the ACMA made these rules in mid-2022 we identified that victims of mobile fraud lose $28,000 on average,” she said. “It is unacceptable that Telstra did not have proper systems in place when the rules came into force.”
In addition to the financial penalty, the ACMA has accepted a comprehensive two-year court-enforceable undertaking from Telstra, committing it to appoint an independent consultant to review its compliance with the customer ID rules and to make improvements where needed.
