Australia’s communications watchdog has imposed new rules on Telstra after the telecommunications giant was found to have leaked the details of more than 140,000 people who requested their phone numbers not be shared publicly.
The Australian Communications and Media Authority (ACMA) said it had issued Telstra with “a remedial direction” following an investigation of the leaks of unlisted numbers, which the telco publicly disclosed in December 2022.
Consumers who choose to have unlisted or so-called ‘silent’ numbers often do so for safety and privacy reasons, as the numbers are not meant to appear to call recipients, or in print or electronic directories.
ACMA said its investigation, completed in May 2024, found Telstra had published 139,402 unlisted numbers with customer details in its directory assistance database and 24,005 unlisted numbers with customer names and addresses in the White Pages.
In total, ACMA found Telstra breached the conditions of its carrier license over 163,000 times between 2021 and 2022.
“Some customers had their unlisted numbers and details included in both the White Pages and the directory assistance database,” ACMA said.
ACMA’s investigation found Telstra self-reported potential non-compliance seven times between October 2022 and October 2023.
The regulator has ordered Telstra to improve its data reconciliation, staff training, record keeping, and reporting, and to carry out an independent audit of its systems and processes.
ACMA said Telstra faced court action if it did not follow the regulator’s directions, which could lead to penalties of up to $10 million per breach.
During the investigation, Telstra told ACMA it accepted that it "did not ensure, to the greatest extent practicable, that the White Pages did not include unlisted number customer data”.
In a statement to Information Age, Telstra said it had significantly improved its systems to prevent a repeat.
"We found this issue in 2022, immediately reported our findings to the ACMA, took corrective action and communicated with customers,” a spokesperson said.
“Since it occurred, we have significantly upgraded our systems through major software and technology improvements and we conduct regular sweeps to pick up any potential misalignments.”
In 2022, Telstra said the disclosure of some customers’ names, numbers, and addresses was the result of “a misalignment of databases” and not a cyber-attack or security incident.
It apologised for breaching customers’ trust and said protecting their privacy was “absolutely paramount”.
Breaches ‘a serious matter’
ACMA’s consumer lead Samantha Yorke said while the regulator was not aware of any harm caused to people as a result of Telstra’s breaches, the company’s failure to safeguard customer information was “a serious matter” which “put people’s privacy and safety at risk”.
“Telstra is entrusted with personal details of millions of Australians and those people have the right to expect that Telstra has robust systems and processes in place to ensure their information is being protected,” she said.
Australia’s peak body for communications consumers, the Australian Communications Consumer Action Network (ACCAN), said Telstra's actions breached community trust.
The organisation's CEO, Carol Bennett, said silent numbers were often used by the clients of women's services organisations, to maintain privacy and safety.
"There are very good reasons why people elect to have a silent number," she said.
"Regardless of the reason, they should be able to expect privacy in that choice."
Telstra said it had significantly improved its systems to prevent similar breaches from reoccuring. Photo: Telstra
New rules imposed on Telstra
ACMA has ordered Telstra to compare its customer data with its White Pages and directory assistances databases at least once every six months, and remove details of customers with unlisted numbers if any are found.
The telco must also “take steps” to make sure any such information is not published in upcoming hard copy versions of the White Pages.
The directions order Telstra to establish a training program for relevant staff by September 2024, which all staff with relevant responsibilities will need to complete annually.
ACMA has also ordered the telco to have its systems and procedures independently audited.
Once a final plan of action is approved by the regulator, Telstra will need to report to ACMA every six months until the agreed actions have all been implemented.
ACCAN's CEO argued that deterrance actions available to the communications regulator were inadequate.
“This issue typifies an enforcement and consumer protections system that isn’t fit for purpose," Carol Bennett said.
"The ACMA should have a modern regulatory toolkit at its disposal, and be empowered to apply strong and immediate penalties commensurate with the seriousness of misconduct.”
Telstra announces price increases
Telstra announced price increases on Tuesday which will see the cost of its mobile plans and pre-paid mobile broadband plans rise by between $2 and $4 a month.
Postpaid plan prices will rise from 27 August, while prepaid plans will increase from 22 October.
The company said the changes were necessary due to increased network usage and its investments in expanding coverage and increasing security.
Telstra executive Brad Whitcomb argued that while increasing prices was “always a difficult decision, especially in the current climate”, the cost of telecommunications had not risen as fast as other consumer goods and services.
The move comes almost two months after Telstra announced it would cut around 2,800 jobs, or about 9 per cent of its workforce.