This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Telstra

Summary

In December 2011, Telstra's internal Visibility Tool—a web-based customer management system—was discovered to be publicly accessible on the internet, exposing personal information of approximately 734,000 customers. The tool had been externally accessible from July to October 2011, and again in December 2011 following a software restoration error. The breach exposed customer names, phone numbers, service details, and in some cases passwords stored in plain text fields.

What Happened

Telstra's Visibility Tool was a web-based customer management system used by employees to access customer information. Due to a misconfiguration, this internal tool became publicly accessible on the internet without requiring authentication.

On 9 December 2011, a participant on an internet and technology discussion forum posted comments stating that an internal Telstra database containing customer information was accessible online. The tool had actually been externally accessible during two periods: initially from 26 July 2011 to 19 October 2011, and then again in December 2011 after a software restoration inadvertently restored incorrect security settings.

The Australian Privacy Commissioner opened an investigation on 12 December 2011 and found that Telstra breached National Privacy Principles by failing to have adequate security measures to protect customer information and by making an unauthorised disclosure of personal information.

Impact on Individuals

The exposed information included customer names, phone numbers, service holdings, and order numbers. Critically, the tool contained a free text field where Telstra consultants could record customer usernames and passwords, email addresses, or online bill account references in plain text—making this information directly readable by anyone who accessed the tool.

Telstra reset approximately 73,000 customer passwords as a precautionary measure for accounts where credentials may have been exposed. The company initiated a customer contact strategy to inform potentially affected customers through phone calls, SMS, email, and direct mail.

While the extent of unauthorised access to the exposed data is unknown, the breach created risk of account takeover, identity theft, and unauthorised access to customer accounts and billing information.

Organisational Response

Upon discovery of the breach, Telstra immediately secured the Visibility Tool and removed external access. The company reset around 73,000 passwords and began notifying affected customers through multiple channels.

The Privacy Commissioner's investigation concluded that Telstra did not have adequate security measures in place to protect personal information in the Visibility Tool, breaching NPP 4.1. The external accessibility of customers' personal information also constituted an unauthorised disclosure, breaching NPP 2.1.

Telstra implemented remediation measures including security reviews, changes to development and deployment processes, and improvements to monitoring and access controls. The company cooperated fully with the Privacy Commissioner's investigation and took steps to prevent similar incidents in the future.

Verification Source: View original statement