This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Telstra

Summary

Telstra exposed the personal information of 15,775 customers, including 1,257 silent line customers, when internal spreadsheets containing names, phone numbers and addresses were made publicly accessible through Google search. The breach was particularly serious as it compromised the privacy of customers who had paid for unlisted numbers.

What Happened

Between February 2012 and May 2013, customer data from 2009 and earlier was inadvertently made accessible on the internet. A third-party provider deployed a solution on 24 February 2012 that unintentionally turned off access controls, making source files publicly accessible. Google indexed these files from 23 June 2012, making them discoverable via simple web searches until 15 May 2013.

Victorian resident Lee Gaywood discovered the breach when he found Telstra spreadsheets containing personal information freely accessible through Google search. The exposed data included phone numbers, customer names and home addresses from internal Telstra records.

Impact on Individuals

The breach had particularly severe consequences for certain customer groups:

  • Silent line customers: 1,257 customers who had specifically paid for unlisted numbers had their contact details exposed, defeating the purpose of this privacy-protecting service
  • Privacy violations: Names, phone numbers and addresses were accessible to anyone with basic internet search skills
  • Harassment risk: Unlisted number customers may have been seeking privacy from harassment, stalking or other threats
  • Trust breach: Customers who paid extra for privacy protections found those safeguards had been compromised

All affected customers faced increased risks of telemarketing, scams and unwanted contact.

Organisational Response

The Privacy Commissioner conducted an own motion investigation and found Telstra had breached the Privacy Act by failing to take reasonable steps to secure personal information it held. The Commissioner also found that Telstra had unlawfully disclosed personal information. Both the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) conducted separate investigations that found Telstra had breached Australia's privacy laws.

Telstra paid an infringement notice of $10,200 for failing to comply with a direction under the Telecommunications Consumer Protection Code. The incident occurred despite previous privacy breaches by Telstra in 2010, where two separate incidents exposed the details of approximately 4,000 customers.

Verification Source: View original statement