In short:
The telecommunications regulator has found Telstra breached its licence after disclosing the details of more than 140,000 customers who requested to have their numbers unlisted.
More than 24,000 records were made public in White Pages, in a major violation of clients’ safety and privacy.
What’s next?
ACMA has ordered Telstra to implement a range of measures for remediation of impacted customers and to ensure such breaches don’t occur in the future, with legal action possible if these are not met.
Telstra has been issued a remedial direction after it was found to have broken regulatory obligations by publicly releasing the details of thousands of unlisted customers.
An investigation by the Australian Communications and Media Authority (ACMA) found the company breached its carrier licence on a number of occasions between 2013 and 2023 by publishing the personal information of more than 140,000 such clients.
Most of these breaches took place between 2021 and 2022. In the 10-year period overall, the carrier breached its licence 163,000 times.
This included the disclosure of 24,005 customer records, including phone numbers, names and addresses, in the White Pages, and 139,402 in Telstra’s own directory assistance database.
An unlisted or silent number is a provision a customer pays for to be hidden from public phone directories — both electronic and print — operator-assisted directory services, and on the phones of people they call.
These are often requested for privacy and safety and a failure to safeguard them can potentially put lives at risk.
Australia’s Integrated Public Number Database has a record of both listed and unlisted phone numbers, but it cannot be viewed by the public.
“Telstra is entrusted with personal details of millions of Australians and those people have the right to expect that Telstra has robust systems and processes in place to ensure their information is being protected,” ACMA consumer lead Samantha Yorke said.
Issue caused by system ‘misalignment’
ACMA’s investigation was commenced after Telstra notified the telecommunications regulator of its own disclosure of unlisted numbers in the White Pages in 2022.
A spokesperson for the provider said all affected customers had begun being remediated soon after the matter came to light.
“We found this issue in 2022, immediately reported our findings to the ACMA, took corrective action and communicated with customers,” they told the ABC.
“Since it occurred, we have significantly upgraded our systems through major software and technology improvements, and we conduct regular sweeps to pick up any potential misalignments.”
At the time Telstra said the publication of unlisted numbers had been caused by a “misalignment of databases” and not malicious cyber activity.
In an update in April last year, it said it was working on a permanent fix to resolve the issue after internal investigations.
Impacted clients were also offered free support through national identity and cyber security service IDCARE.
ACMA’s directive requires Telstra to reconcile its customer data with listings in White Pages and directory assistance databases every six months, train staff members on appropriate protocol, and have its systems and compliance procedures independently audited.
The regulator stressed oversight and assurances relating to protecting customers’ privacy needed to be more robust, given that number listing preferences can be changed anytime.
Telstra has admitted it “did not take proactive steps” to ensure its internal systems and White Pages were in sync in relation to number listing statuses.
It has now commenced a notification program which sends customers annual reminders that they are listed in the White Pages and advises those who disconnect on how to also remove their details from associated services.
ACMA has not imposed penalties over the breaches but Telstra’s failure to implement all its recommendations in full could be taken to court facing fines of up to $10 million per contravention.
Posted , updated