Australia’s communications regulator has fined Telstra $1,551,000 and ordered it to make improvements after the telco giant left thousands of its customers more vulnerable to mobile fraud and SIM-swap scams.
The Australian Communications and Media Authority (ACMA) said its investigation found Telstra did not follow the correct customer identity verification processes 168,000 times between August 2022 and April 2023.
ACMA said the breaches occurred during high-risk requests such as password resets and SIM card swaps, which occur when someone requests a replacement SIM card or eSIM — but can also be exploited by criminals.
ACMA’s Samantha Yorke said SIM-swap scams could be “particularly devastating, as victims can lose life savings as well as control of their phone number and other personal information”.
The regulator said victims of mobile fraud were losing an average of $28,000 each when it introduced new rules for customer identification in 2022.
Yorke said it was “unacceptable that Telstra did not have proper systems in place” when those rules were implemented, and left thousands of customers at risk of being scammed.
“While there is no direct evidence anyone suffered losses because of these breaches, customers need to be able to trust that their telcos are protecting their accounts from fraud,” she said.
ACMA said Telstra’s breaches included 7,000 interactions with customers who were identified as being in vulnerable circumstances.
The rules introduced by the regulator in 2022 require telcos to use multi-factor authentication, such as one-time codes sent to customers, before carrying out any actions which could compromise their accounts.
ACMA said the rules had so far been “very effective in reducing SIM-swap fraud”.
Telstra argues changes took time
In a statement to Information Age, Telstra said its delay in adhering to the new rules was due to it taking “the time to get the implementation right for our customers”.
A spokesperson for the telco described the changes needed under ACMA’s new rules as “significant”.
“We had to design and deploy multi-factor authentication processes across all our channels, while also maintaining our ability to service customer requests, including those customers who could not complete multi-factor authentication,” they said.
“We needed to take the time to get the implementation right for our customers, and while we made the changes as quickly as possible, we were not able to meet the initial commencement date for some aspects of the new rules.”
The spokesperson said Telstra “took measures to minimise the risk to customers”, and maintained customer security was “a key priority for our business”.
Telstra says it took precautions to minimise risks for its customers. Photo: Telstra
Australia’s peak body for communications consumers, the Australian Communications Consumer Action Network (ACCAN), described Telstra’s non-compliance as “an inexcusable oversight”.
ACCAN CEO Carol Bennett said ACMA’s findings highlighted "the need for strengthened legislation, higher penalties and better enforcement”.
“At a time when consumers are being asked to adopt new technologies, educate themselves and be proactive to avoid being scammed, a major telco has once again abrogated their responsibilities to protect their customers privacy and livelihoods,” she said.
“This should be more than just a wake-up call for Telstra.
“As a provider of an essential service, they need to put their customers first.”
More new rules for Telstra
In addition to paying its $1.5 million fine, Telstra has agreed to a two-year court-enforceable undertaking with ACMA.
The new rules are the second set of regulations announced for Telstra in as many weeks.
Under the latest agreement, Telstra must appoint an independent consultant at its own cost to “review its compliance with the customer ID rules and to make improvements where needed”, ACMA said.
Telstra will also need to provide quarterly reports to ACMA on its progress and provide fraud prevention training to all relevant staff by the end of November.
The telco will be required to review its training processes and commit to delivering the training to all relevant staff annually, beginning in 2025.
The new directives come after ACMA announced other rules for Telstra last week, after the telco was found to have leaked the details of more than 140,000 people who requested their phone numbers not be shared publicly.