This was published 9 years ago
Optus admits 'failure' in not identifying three big security incidents
By Ben Grubb
Optus has admitted to not taking reasonable steps to secure the private information and personal security of about 300,000 customers in three separate incidents last year.
Optus' admission, contained in what's known as an enforceable undertaking to the federal privacy commissioner, follows the Senate passing the Data Retention Bill on Thursday night, which requires all Australian telcos to store customer metadata for two years.
The bill was passed despite fears the data could be hacked if it was not secured correctly by telcos, which historically have a poor reputation in Australia for keeping information secure.
In the first incident, Optus mistakenly released the names, addresses and mobile phone numbers of about 122,000 Optus customers in the White Pages online directory without the consent of those customers.
The issue, which occurred due to a "coding error", also resulted in the majority of those customers' information also being published in various print editions of the White Pages.
The second incident concerned a flaw that left customers vulnerable to 'spoofing' attacks, where an unauthorised party could potentially access and use customer voicemail accounts messages, including being able to listen to recorded messages and change settings and preferences.
The third incident concerned Optus "deliberately" leaving the management ports of customer-issued modems open, incorrectly assuming that they were only accessible by Optus staff for network management purposes.
In addition, Optus issued 197,000 Netgear modems and 111,000 Cisco modems to its customers with factory default settings, including user default names and passwords in place.
"In each case, there was a failure by Optus to detect the incidents; the incidents were brought to Optus' attention by third parties," states the enforceable undertaking, which was signed by Optus chief executive Allen Lew and accepted by privacy commissioner Timothy Pilgrim.
"This resulted in Optus experiencing substantial delays in taking action to contain each incident, which also prolonged the duration of the risk to affected individuals."
It further concedes that the security measures in place "were not reasonable to protect the personal information that Optus held, particularly in relation to the White Pages incident".
Following an investigation, Mr Pilgrim accepted the enforceable undertaking from Optus, the first one issued under new reforms to the Privacy Act which came into effect in March last year.
This undertaking requires Optus to:
- Complete a set of reviews and certification;
- Provide copies of those reviews and certifications to the OAIC;
- Implement any recommendations and rectify deficiencies identified in those reviews and certifications; and
- Provide a report by an independent third party to the OAIC certifying that the specified actions have been completed
In a statement David Epstein, Optus vice-president of corporate and regulatory affairs, said Optus would continue to review its processes and systems to "prevent future mistakes".
"Optus takes privacy and security very seriously," he said.
Mr Pilgrim said he appreciated the "positive way" in which Optus worked with his office to address the incidents.
"I consider that the enforceable undertaking is an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act," Mr Pilgrim said.