A colossal error by Australian telecommunications giant Telstra has resulted in the exposure of more than 130,000 customers' personal details.
Telstra released a statement detailing the accidental exposure of customers' names, numbers and addresses due to a "misalignment of databases."
In its statement, the company said it is responsible under regulatory obligations for providing both Directory Assistance services and the directory service, White Pages.
The company reported some "unlisted customers" details were incorrectly made available via these services.
Chief financial officer Michael Ackland later elaborated in an interview with the ABC that the full extent of the leak consisted of around 16,000 customers' details published on the White Pages, and around 130,000 customers' details available on Directory Assistance.
While data leaks are typically linked to cyber attacks such as hacking or targeted phishing, the company said no "cyber activity" was involved in the publishing of its customers' data – rather, it was a first-hand mistake made by Telstra which led to the leak.
"It's important to recognise this was not a cyber security hack or a cyber security issue, it was a misalignment of databases," said Ackland.
"One of the things with both the White Pages and Directory Assistance is that customers can decide to have their details either listed or unlisted.
"We had a misalignment that we identified through our audit and reconciliation processes for a number of customers where on our databases they were tagged as being unlisted, when they had in fact been listed," he explained.
This effectively meant sensitive customer details which should not have been listed were made accessible through the online White Pages service, and others via phone call to Directory Assistance.
Telstra has reportedly contacted customers impacted by this incident and offered access to IDCare, Australia's national identity and cyber support service, as a means for support regarding the exposure of their details.
The company has unabashedly apologised to customers for its mistake, and is conducting an internal investigation to "better understand how it happened and to protect against it happening again."
"Customers' privacy for us is absolutely paramount and it was unacceptable that this happened," said Ackland.
"Customers have every right to request that their data is unlisted and we got it wrong in this case."
Government signalling stricter laws
The mishandling of customer data by Australian companies has been a rampant concern over the past few months, with other large-scale organisations such as Optus, Medibank and LJ Hooker all experiencing unprecedented data breaches during the latter half of 2022.
Following months of successive data breaches, the Australian Government introduced new legislation which increases fines for companies for "serious or repeated" privacy breaches to $50 million.
And while the new Privacy Legislation Amendment (Enforcement and Other Measures) Bill has already passed both houses of Parliament, further legislative changes are being considered for tougher measures regarding data retention and the handling of sensitive information.
This is the second time in three months that Telstra has appeared in the news over a data breach.
Shortly after Optus' announced its landmark data breach in September, a collection of approximately 30,000 Telstra staff records dating back to 2017 were leaked on a hacker forum.
In both cases of Telstra's data leaks, cyber security experts were quick to suggest stricter data management practices as a means for preventing further incidents.
The company has removed all impacted information from the online White Pages, is "completely reloading" the Directory Assistance database, and is now working to retroactively pull the impacted data off the internet.
