Ben Grubb
Published: May 16, 2013 – 2:06PM
Lee Gaywood, 31, of Chelsea Heights in Victoria, contacted Fairfax Media about the information being freely accessible to anyone online after conducting a specific Google search that turned up Telstra spreadsheets.The personal information of thousands of Telstra customers has been found online using a Google search.
The owner of marketing business SMS Broadcast, Mr Gaywood said he found the data when he was searching Google for telco carrier access codes, which he needs to know for his SMS service to work.
Data discovered included customer names, telephone numbers and in some cases home and business addresses.
“I couldn’t really believe what I was looking at when I found the data,” Mr Gaywood said. “I’ve worked in telcos before and I know that this sort of data should be kept very private and customers would expect it to be secured.”
He said he stumbled across the data after entering into the Google search field “Telstra” and two other search terms, which Fairfax has chosen not to name as the spreadsheets may still be cached on Google’s search engine.
Telstra took the files offline after being notified of the breach by Fairfax at about 4pm on Wednesday.
Fairfax found approximately 1677 customer records in one of the spreadsheets, which contained Telstra customers’ names, phone numbers, plan names and home addresses. A further three spreadsheets contained 8201 customer records that contained only names and telephone numbers, but not home addresses.
The spreadsheets also contained internal Telstra reference numbers relating to customer accounts. Other internal Telstra training documents were also found online via a similar Google search to Mr Gaywood’s.
The data appeared to be hosted on a server not belonging to Telstra but a third-party it uses.
Telstra executive director of customer service, Peter Jamieson, thanked Fairfax for alerting it to the issue. He said the breach was “concerning” and that the data should not have been in the public domain.
“This is unacceptable,” Mr Jamieson said. “We take very seriously the confidentiality of our customers’ information and we will take all steps to ensure we protect that information. [I’m] very disappointed about the fact that we have made available information about our customers on this occasion.”
Telstra was investigating exactly how the data was made available outside of its network, he said.
He added that the data appeared to be in some cases several years old but that it didn’t excuse it to be online.
Mr Jamieson has since published a blog post explaining the breach.
Australian IT security researcher Troy Hunt said some of the customers whose telephone numbers were listed in the spreadsheets may have had silent numbers which they would have wanted to have been kept private.
He said the customer data could potentially be used by someone with malicious intent to socially engineer, or trick, a Telstra call centre representative into disclosing more customer information.
For example, the data could enable a person to “establish authenticity” with a Telstra call centre, Mr Hunt said, especially considering the data confirmed a person was a customer and also revealed what plan they were on.
Comment is being sought from the Office of the Australian Information Commissioner, which polices data breaches in Australia.
Telstra’s data breach record
Telstra hasn’t had the best track record for keeping customer information private and has had a number of customer data breaches in recent years. The number of privacy breaches it has had prompted its CEO, David Thodey, to email all staff in July last year telling them that breaches “must not happen again”.
He said breaches were affecting the telco’s reputation and said staff should inform their manager “as a matter of urgency” should they have concerns with anything that threatens the privacy of Telstra’s customers.
In December 2011 an internal Telstra portal containing the details of almost 800,000 customers was found to be exposed on the public internet without password protection. The telco was also criticised in July 2012 for sending without permission to a company in Canada the URLs that its Next G network customers visited. In November 2010 another 3000 customers’ data was breached.
In April 2010 another Telstra breach exposed details of about 700 customers and in November 2010 another 3000 customers had their data exposed. In October 2010 another breach involved the telco botching a mail merge by sending out 220,000 letters containing account information belonging to other customers.
More recently, in May 2013, another breach, concerning about 35,000 customers, affected BigPond Games account holders.