Investigation Report: Compliance with the Telecommunications Consumer Protections Code C628:2012 by Telstra Corporation Ltd

File No. Carriage Service Provider ABN Type of Service or Product Scope ACMA2013/1477 Telstra Corporation Ltd 33 051 775 556 Landline, broadband internet and mobile services Clause 4.6.3, Telecommunications Consumer Protections Code C628:2012

Findings
The Australian Communications and Media Authority (ACMA) has found that Telstra Corporation Ltd (ABN 33 051 775 556) (Telstra) contravened clause 4.6.3 of the Telecommunications Consumer Protections Code C628:2012 (TCP Code) from 1 September 2012 to 15 May 2013, by failing to protect from unauthorised use or disclosure the personal information of 15,775 customers which was able to be accessed online. The ACMA has found that this conduct also contravened the direction given to Telstra by the ACMA on 3 September 2012 under subsection 121(1) of the Telecommunications Act 1997 (the Act).

Background
1. This report presents the findings of an investigation conducted by the ACMA into Telstras compliance with clause 4.6.3 of the TCP Code, and consequently with the direction given to Telstra by the ACMA on 3 September 2012 to comply with clause 4.6.3 of the TCP Code. 2. The current TCP Code has been registered under Part 6 of the Act since 1 September 2012. It contains rules about how carriage service providers (CSPs) deal with their residential and small business customers. The rules apply to a range of CSP business practices, including the protection of personal information. 3. Telstra is one of the main providers of telecommunications services in Australia. Telstra is a carrier and a CSP within the meaning of the Act and a Supplier for the purposes of the TCP Code. Telstra is therefore required to comply with the provisions of the TCP Code. 4. On 3 September 2012, a direction was given to Telstra to comply with clause 4.6.3 of the TCP Code following an ACMA investigation into an incident identified in December 2011

(the December 2011 incident). The December 2011 incident involved the names and in some cases the addresses of approximately 734,000 Telstra customers, and the usernames and passwords of up to 41,000 of those customers, being found to be publicly available and accessible on the internet during the period from 29 March 2011 to 9 December 2011.

Relevant facts
5. In May 2013, Telstra contacted the ACMA to advise that it had learnt, via a journalist, that the names, phone numbers and addresses of around 15,775 Telstra customers had been available on the internet (the May 2013 incident). 6. Telstra subsequently confirmed that the information had been available from June 2012 to May 2013 and related to customer information from between 2006 and 2009. The records included the information of 1,257 active silent line customers. Of these, 950 related to Telstra retail customers, while 307 related to end users of Telstras wholesale customers. Telstra also advised that there were at least 166 unique downloads of these records. 7. Telstra met with the ACMA to discuss the May 2013 incident on 15 October 2013 and provided the ACMA the Data Incident ReportMay 2013 (the data incident report) the following day. The report outlined the reasons for the incident and the steps Telstra was taking to prevent such an incident from happening again. 8. Having considered the information provided, on 18 October 2013 the ACMA commenced an investigation into Telstra under paragraph 510(1)(c) of the Act. 9. Clause 4.6.3 of the TCP Code states that: Personal information: A Supplier must ensure that a Customers or former Customers Personal Information is protected from unauthorised use or disclosure and dealt with by the Supplier in compliance with all applicable privacy laws. A Supplier must take the following actions to enable this outcome: (a) Storage: have robust procedures for storing its Customers Personal Information in its possession which are followed by its staff; (b) Security: have robust procedures to keep its Customers Personal Information in its possession secure and restrict access to personnel who are authorised by the Supplier; and (c) Breach: ensure its staff understand that they may face disciplinary action if they breach the Suppliers privacy procedures, the Privacy Act or other privacy laws. 10. As explained in the introductory statement to the TCP Code, code rules are generally organised in two parts: a higher level outcome followed by some actions required to enable that outcome (emphasis added). Accordingly, it is possible for a supplier to contravene the higher level outcome part of a rule without having separately contravened the actions part. 11. The TCP Code adopts the definition of personal information under section 6 of the Privacy Act 1988 (Privacy Act), which defines personal information to include: information about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. In the ACMAs view, the customer

ACMA Investigation Report Telstra Corporation Ltd Compliance with Telecommunications Consumer Protections Code 2

information disclosed in the May 2013 incident is personal information within the meaning of the Privacy Act and of Customer Personal Information within the meaning of the TCP Code. 12. On 6 November 2013, the ACMA provided Telstra with the preliminary findings of this investigation. Telstra provided a response to those findings on 25 November 2013. On 14 January 2014, Telstra met with the ACMA to give further context about the challenges involved in testing access controls on an ongoing basis. Telstras further submissions have been considered prior to the ACMA forming a final view, and have been referred to in this report where relevant. Findings and Reasons Compliance with the TCP Code 13. The ACMA has considered Telstras compliance with clause 4.6.3 of the TCP Code having regard to: Telstras letter to the Australian Privacy Commissioner dated 23 May 2013, which provided the OAIC with formal notification of the May 2013 incident; Telstras letter to the ACMA dated 26 August 2013, which provided the ACMA with an update on Telstras investigation into the May 2013 incident; Information provided by Telstra at the 15 October 2013 meeting; The data incident report dated 16 August 2013; The submission provided by Telstra on 25 November 2013 in response to the ACMAs Preliminary Investigation Report; and Information provided by Telstra at the 14 January 2014 meeting and confirmed by email on 20 January 2014.

Cause of the May 2013 incident 14. Telstra has stated that the May 2013 incident was caused by the deployment of a software solution on 24 February 2012 by an external provider. The software solution was intended to increase the character limit of an Internet Protocol (IP) white list access control, to enable more authorised users to access certain internal documents (a customer churn database). While this aim was achieved, the solution also inadvertently resulted in a small proportion of files ceasing to be protected by the white list access controls. This led to a small proportion of spreadsheets containing customer data being indexed by Google on 23 June 2012, which were then able to be found online using a specific Google search. 15. Telstra states that at the time the software solution was deployed, it assumed that the external provider would continue to deliver a secure solution, and had no reason to believe that existing protections against unauthorised access would not continue to apply. Telstras investigation into the incident suggested that Telstra did not undertake a detailed review of the software solution deployed on 24 February 2012. While Telstra has stated

ACMA Investigation Report Telstra Corporation Ltd Compliance with Telecommunications Consumer Protections Code 3

that it thinks it is unlikely that additional testing would have identified the design flaw , in the data incident report it nevertheless acknowledges that additional review and testing should have been undertaken prior to the acceptance and deployment of the software solution.

Relationship to the December 2011 incident 16. In its letter to the ACMA dated 26 August 2013, Telstra notes that while the May 2013 incident involved the same technology platform as the December 2011 incident, the circumstances and cause of each incident were very different. In its response to the ACMAs Preliminary Investigation Report, Telstra states that while the December 2011 incident was partly caused by internal administrative failings, the May 2013 incident resulted from a software solution entirely controlled by an external provider. Telstra states that in respect of the May 2013 incident it necessarily relied on the external provider to establish and maintain appropriate security controls. 17. The ACMA notes that the access control failures which ultimately led to the May 2013 incident occurred in the period immediately after the December 2011 incident. Telstra has advised that during this period, it was in the process of transitioning management of the external providers platform to its IT area. While the data incident report notes that there were interim processes in place (including a special mailbox that was to be used to ensure software changes were reviewed by a security team), these processes were not followed when the software solution was deployed. While it appears that a Telstra employee tested the solution to ensure that authorised users were able to access the relevant documents, no test was undertaken to determine whether the documents could also be accessed by unauthorised users. 18. Telstra has acknowledged that there should have been more awareness about the need to closely monitor changes to access controls, particularly since the February 2012 software upgrade occurred so soon after the identification of the December 2011 incident. Compliance with clause 4.6.3 of the TCP Code 19. As customer information was able to be accessed online as described above, the ACMA has found that Telstra failed to ensure that customers and former customers personal information was protected from unauthorised use or disclosure and dealt with in accordance with all applicable privacy laws. 20. The current TCP Code came into operation on 1 September 2012. The ACMA has therefore found that Telstra breached the headline clause of 4.6.3 of the TCP Code in respect of the May 2013 incident from 1 September 2012 to 15 May 2013, by failing to protect customer information during this period. 21. In its response to the Preliminary Investigation Report, Telstra argues that clause 4.6.3 of the TCP Code is satisfied if a provider takes the steps set out in subclauses (a), (b) and (c). It submits that the ACMA cannot assess breaches of the headline clause and the subclauses of the provision separately. As foreshadowed in paragraph 10 above, the

Due to the difficulties of testing this type of software solution, and the large number of URLs that would have needed to be tested approximately 56,000

ACMA Investigation Report Telstra Corporation Ltd Compliance with Telecommunications Consumer Protections Code 4

ACMA does not accept this interpretation. The headline or outcome clause creates a distinct obligation and a provider can be found to be in contravention of that outcome obligation even if it has not separately contravened an actions obligation. The ACMA has assessed Telstras compliance with clause 4.6.3 accordingly. 22. The ACMA also notes Telstras submission that compliance with clause 4.6.3 of the TCP Code should be assessed with reference to the requirement to take reasonable steps to 2 protect personal information set out in the National Privacy Principles. While noting that clause 4.6.3 of the TCP Code refers to compliance with applicable privacy laws, the ACMA considers that this reference is additional to the requirement to protect customer information from unauthorised use or disclosure and does not operate to import the concept of reasonable steps from the Privacy Act with respect to the other requirements 3 set out in that clause . 23. Telstra has submitted that it did take reasonable steps to protect customer information and it is not reasonable to expect it to conduct ongoing testing of software solutions in 4 circumstances where testing is unlikely, for technical reasons, to reveal vulnerabilities. Telstra has advised that 6 out of over 56,000 different URL pathways were not protected by access controls, and they were only accessible through a specific and targeted URL search. The ACMA notes that clause 4.6.3(b) of the TCP Code requires a supplier to have robust procedures to keep its customer information secure and restrict access to authorised personnel. At the meeting on the 14th of January, Telstra advised that it had procedures in place to search for Telstra data which may have been disclosed or inadvertently made publically accessible. However, the ACMA notes that the incident was discovered by a journalists source, not by Telstra, and that the customer information in question was accessible for at least 11 months. The ACMA also notes that there were at least 166 unique downloads of these records, indicating the records may have been accessed by multiple people. The ACMA therefore considers it reasonable to conclude that the information could also have been found by Telstra, if it had robust procedures in place to protect customer information. 24. The ACMA is of the view that while every effort should be made to prevent unauthorised disclosure of customer information, providers should also have processes in place to address any problems that may not have been picked up initially, to ensure customer information is protected. 25. Telstra also submitted in its correspondence of 25 November that the May 2013 incident concerned a solution which was entirely controlled by the external provider, and that it relied on that provider to establish and maintain appropriate security controls. However, any reliance on the external provider has no bearing on whether Telstra breached clause 4.6.3. The TCP Code establishes an outcome which Telstra itself must deliver when dealing with customers, irrespective of any outsourcing arrangements it makes. Alternatively expressed, Telstra may (and no doubt often does) outsource various

2 3

NPP 4, Schedule 3, Privacy Act 1988 The headline clause of 4.6.3 provides that a supplier must ensure that a customers or former customers personal information is protected from unauthorised use or disclosure and dealt with by the Supplier in compliance with all applicable privacy laws. 4 Telstra submits that ongoing testing on an open ended basis could potentially reveal no security weaknesses at all, even if these did exist.

ACMA Investigation Report Telstra Corporation Ltd Compliance with Telecommunications Consumer Protections Code 5

services but it cannot outsource its regulatory obligations when expressed in the form that clause 4.6.3 represents. 26. In any event, Telstras August data incident report sensibly acknowledges that a more detailed review should have taken place to minimise the risk of a security issue, particularly as the solution was deployed shortly following the discovery of the December 2011 incident. 27. From the evidence provided, the ACMA considers that Telstra did not have robust procedures in place from 1 September 2012 to 15 May 2013 to ensure, on an ongoing basis, that access controls remained secure, and that unauthorised users could not access customer databases. This resulted in Telstra failing to address the data breach and customer information remaining available online during the specified period. While the ACMA acknowledges that having robust procedures in place may not guarantee the prevention of a security breach in every instance, it is Telstras responsibility to implement procedures to ensure that the personal information of its customers is kept secure. 28. Accordingly, the ACMA has found that Telstra has contravened clause 4.6.3 of the TCP Code from 1 September 2012 to 15 May 2013, by failing to ensure that customers and former customers personal information was protected from unauthorised use or disclosure and by failing to have robust procedures in place to keep customers personal information in its possession secure and restrict access to authorised personnel. Compliance with the 3 September 2012 Direction 29. In its response to the Preliminary Investigation Report, Telstra submits that it did not breach the direction given to it by the ACMA on 3 September 2012 to comply with clause 4.6.3 of the Code. It argues that even if it were to accept that there was a failure to adequately test the access controls on the platform supplied by the external provider, the failure occurred when the software solution was deployed in February 2012, 6 months before the direction was issued. 30. The ACMA accepts that the underlying cause of the May 2013 incident occurred before the direction was given. However, from the time that the direction was given on 3 September, customer information remained available on the internet for over eight months. Telstra therefore did not protect this customer information from unauthorised use or disclosure during this period. As discussed in paragraphs 23 to 28, there do not appear to have been robust procedures in place to protect customer information. Given the nature of the December 2011 incident, and the fact that Telstra had been issued a direction to comply with clause 4.6.3 of the Code on 3 September 2012, the ACMA considers it reasonable to expect that Telstra would implement procedures not only to prevent privacy breaches, but also to address any breaches that may not have been caught initially. 31. The ACMA has found that the failure to comply with clause 4.6.3 was the result of deficient processes and procedures. As noted in paragraph 27, it is apparent that a robust process to keep customers personal information in its possession secure and restrict access to authorised personnel did not exist during the period from 1 September 2012 to 15 May 2013. This is despite Telstra undertaking to implement improved security and data control procedures following the December 2011 incident.

ACMA Investigation Report Telstra Corporation Ltd Compliance with Telecommunications Consumer Protections Code 6

32. For the reasons outlined above, the ACMA has found that Telstra breached the direction from 3 September 2012 until 15 May 2013 by failing to ensure customer information was protected from unauthorised disclosure and by failing to have robust procedures in place to keep customers personal information secure. Telstras response to the May 2013 incident 33. The information provided by Telstra indicates that as soon as it became aware of the data breach, it took steps to disable all public access links to the source and to have Google caches cleared to ensure that the data could not be accessed via a Google search. External access was removed before the incident was publicised in the media. 34. Telstra then took steps to contact all affected customers, and offer remediation as appropriate. It also implemented strategies to ensure affected customers of wholesale partners were contacted. 35. Telstra has advised in its letter of 26 August 2013 that as a result of the May 2013 incident, it is developing a new internal policy and procedure to ensure adequate review of software solutions. 36. Telstra states that it has implemented a number of measures to prevent future data breaches where possible, and to enable it to identify them where they do occur. These measures include: exiting the platform supplied by the external provider in December 2013; introducing more stringent information security controls around the procurement and management of software solutions; establishing a Security Exploration Team to proactively search for any Telstra customer data that may be accessible online; implementing a Data Loss Prevention program to improve security of customer data; reviewing the management of third party providers to ensure they are aware of privacy and security requirements; and developing and initiating a campaign to improve staff awareness of information security and privacy issues.

37. The ACMA considers that if effectively implemented, the above initiatives should improve Telstras ongoing compliance with clause 4.6.3 of the TCP Code.

ACMA Investigation Report Telstra Corporation Ltd Compliance with Telecommunications Consumer Protections Code 7