Written by staff writer.
The names, addresses, and phone numbers of 132,000 Telstra customers have been made public in what the telco calls a “misalignment of databases” rather than a data breach.
On December 9, Telstra published an apology saying the unlisted customer details were inadvertently published in the White Pages directories and also available via directory assistance. The data leak was not the result of a cyber-attack.
In a post on the Telstra website, chief financial officer Michael Ackland said customer privacy was “paramount” and that the data release was an unacceptable breach.
Of the impacted customers, 16,000 had their information published in the White Pages, while the remaining 116,000 customer data details were available via directory assistance. Ackland said Telstra discovered the data leak during a regular auditing process.
“We found there were misalignments where customers, who in our databases we believed should have been unlisted, were flagged as listed in the directory assistance database, and those 16,000 customers in the White Pages database,” he said.
“We’re sorry it occurred, and we know we have let you down. Our customer service has come a long way in recent years, including in truth-telling about our mistakes. As soon as we became aware, we started work to remove the identified impacted customers from the directory assistance service and the online version of the White Pages.”
Telstra says it is in the process of contacting impacted customers and is offering support through IDCARE. However, the telco also says that the data breach, although significant, is different to the recent cyber-attacks on Optus and Medibank Private. In those cases, identifying information was stolen, including driver’s licence details, passport details, and birth dates.
Nonetheless, in a letter to one impacted customer cited by the ABC, Telstra said that customer’s unlisted details were publicly available for 16 months between August 2021 and December 2022.
In the wake of the Optus and Medibank Private data breaches, the Australian government has been critical of how some companies handle and store customer data. The government is examining the possibility of tougher laws and harsher penalties for privacy breaches.
The White Pages and directory assistance predate the internet when readily available information sources were far fewer. While obsolete for many, its licence conditions still mandate Telstra to produce a freely available annual alphabetical public number directory. Inclusion is also available to customers of competing telcos.
Per the Carrier Licence Conditions Declaration 1997 made under subsection 63(3) of the Telecommunications Act 1997, a standard entry in the White Pages includes a customer’s name, address, at least one public number, which may be a mobile number and/or a geographic (or landline) number.
Critics say the data leak, while not malicious, raises privacy and safety concerns, particularly if the address and contact details of high-profile people and people like domestic violence victims were made available. Ackland says customers have the right to expect their information to remain private, and an internal investigation is underway to understand how and why the leak happened.
“We’re continuing to review and look at our processes and how we audit and reconcile the databases to ensure it doesn’t happen again.”