Australian Privacy Commissioner Timothy Pilgrim has begun an investigation after some Telstra customer’s phone numbers, names and home addresses contained in spreadsheets were found online during a Google search.
SMS Broadcast owner, Lee Gaywood, contacted the Sydney Morning Herald last week and said that he found the data when searching on Google for telco carrier access codes. According to Gaywood, he needed to know the codes for his SMS service to work.
Telstra took the files offline on 15 May after being notified of the breach by Fairfax, according to a <i>Sydney Morning Herald</i> report.
Pilgrim said that Telstra had briefed him about the incident, which it was also investigating.
“I have asked that Telstra provide me with further information on the incident, including how it occurred, what information was compromised and what steps they have taken to prevent a re-occurrence,” he said in a statement.
As part of Pilgrim’s investigation he will look at whether the telco’s practices were consistent with the <i>Privacy Act 1988</i> at the time of the incident.
“I would like to remind businesses about the importance of ensuring appropriate levels of security are in place to protect the personal information they hold,” he said.
Pilgrim warned that from 12 March 2014, he will have the power to take enforcement action that could result in fines of up to $1.7 million and conduct performance assessments of companies to determine whether they are handling personal information in accordance with the Australian Privacy Principles (APPs).
Telstra has been investigated by the Commissioner twice for data breaches in the past three years.
The first investigation took place on 28 October 2010 when Telstra told the Office of the Australian Information Commission (OAIC) that a mailing list error had resulted in approximately 220,000 letters with incorrect addresses being mailed out.
Following his investigation into the matter, Pilgrim concluded that Telstra had breached National Privacy Principle (NPP) 2 by disclosing the personal information of some of its customers to unauthorised third parties.
On 12 December 2011, Pilgrim was on the case again after Telstra’s customer service website was openly accessible on the Internet.
The telecommunications company said it was made aware of the privacy breach and disabled its online billing, BigPond self-care and My Account functions on its website.
Follow Hamish Barwick on Twitter: @HamishBarwick