Telstra has been issued a remedial direction after it was found to have broken regulatory obligations by publicly releasing the details of thousands of unlisted customers.
An investigation by the Australian Communications and Media Authority (ACMA) found the company breached its carrier licence on a number of occasions between 2013 and 2023 by publishing the personal information of more than 140,000 such clients.
Most of these breaches took place between 2021 and 2022. In the 10-year period overall, the carrier breached its licence 163,000 times.
This included the disclosure of 24,005 customer records, including phone numbers, names and addresses, in the White Pages, and 139,402 in Telstra’s own directory assistance database.
An unlisted or silent number is a provision a customer pays for to be hidden from public phone directories — both electronic and print — operator-assisted directory services, and on the phones of people they call.
These are often requested for privacy and safety and a failure to safeguard them can potentially put lives at risk.
Australia’s Integrated Public Number Database has a record of both listed and unlisted phone numbers, but it cannot be viewed by the public.
“Telstra is entrusted with personal details of millions of Australians and those people have the right to expect that Telstra has robust systems and processes in place to ensure their information is being protected,” ACMA consumer lead Samantha Yorke said.
Issue caused by system ‘misalignment’
ACMA’s investigation was commenced after Telstra notified the telecommunications regulator of its own disclosure of unlisted numbers in the White Pages in 2022.
A spokesperson for the provider said all affected customers had begun being remediated soon after the matter came to light.
“We found this issue in 2022, immediately reported our findings to the ACMA, took corrective action and communicated with customers,” they told the ABC.
“Since it occurred, we have significantly upgraded our systems through major software and technology improvements, and we conduct regular sweeps to pick up any potential misalignments.”
At the time Telstra said the publication of unlisted numbers had been caused by a “misalignment of databases” and not malicious cyber activity.
In an update in April last year, it said it was working on a permanent fix to resolve the issue after internal investigations.
Impacted clients were also offered free support through national identity and cyber security service IDCARE.
ACMA’s directive requires Telstra to reconcile its customer data with listings in White Pages and directory assistance databases every six months, train staff members on appropriate protocol, and have its systems and compliance procedures independently audited.
The regulator stressed oversight and assurances relating to protecting customers’ privacy needed to be more robust, given that number listing preferences can be changed anytime.
Telstra has admitted it “did not take proactive steps” to ensure its internal systems and White Pages were in sync in relation to number listing statuses.
It has now commenced a notification program which sends customers annual reminders that they are listed in the White Pages and advises those who disconnect on how to also remove their details from associated services.
ACMA has not imposed penalties over the breaches but Telstra’s failure to implement all its recommendations in full could be taken to court facing fines of up to $10 million per contravention.
Implications for DV victim-survivors
Women’s support groups say the misuse of silent numbers has often been raised as a matter by clients and was a grave privacy breach for those experiencing economic abuse in the context of domestic and family violence.
CEO of the Centre for Women’s Economic Safety (CWES), Rebecca Glenn, said the findings against Telstra revealed “a horrifying breach of privacy with financial safety implications on top of other potentially devastating consequences”.
“Given the only remedy appears to be to change numbers, this creates a significant burden on victim-survivors to contact providers of financial and essential services with updated details,” she said.
“The telco sector needs to get serious about its responses to domestic and family violence. Clearly, current consumer protections in the telco sector have insufficient deterrence power to drive better behaviour.”
The Australian Communications Consumer Action Network (ACCAN) criticised the inadequacy of deterrence actions available to the regulator.
© 2020 Australian Broadcasting Corporation. All rights reserved.
ABC Content Disclaimer
