The Australian Privacy Commissioner has disclosed details of three major data breaches affecting Optus over a number of years, affecting as many as 400,000 of its customers.
The breaches related to three separate incidents between November 2008 and May 2014 that saw the publication of customer information in the White Pages without consent, as well as issues around password protection on modems and voicemail accounts that left customers "vulnerable" to third party access.
In the first case, according to a statement from the Privacy Commissioner, a coding error on Optus' website meant that, if customers made a change to their plan and had previously elected not to have their details published in the White Pages directory, those preferences were "erroneously" changed.
"As a result, the names, addresses and mobile phone numbers of approximately 122,000 Optus customers were listed in the White Pages online directory without the consent of those customers," the statement read. "The information of the majority of those customers was also published in various print editions of the White Pages."
Optus discovered the issue after a customer complaint in April 2014 and informed authorities on June 3. According to the Commissioner, the "breach resulted in the disclosure of the contact information of silent line customers, which...can create significant risks for affected individuals".
In the second case, Optus distributed 197,000 Netgear modems and 111,000 Cisco modems to customers with factory default user names and passwords still in place, meaning that if customers didn't change their username or password, it could have allowed a third party "to make and charge calls as though they were the Optus customer."
The modems were distributed from November 2008, though the problem was not discovered until April 2014, with authorities informed that same month. The Privacy Commissioner advised that "Optus closed off the vulnerability" and "there is no evidence that this security vulnerability was exploited."
Similarly, a "flaw in Optus' security processes" between September 2013 and 13 May 2014 meant that some customers were not prompted for their password when retrieving voicemail messages when outside Optus' network -- an issue that was not identified during testing. As a result, these customers were left vulnerable to having messages and voicemail settings accessed by a third party.
Optus was informed of the issue on April 28, 2014 and notified authorities the following month.
A full review
The Privacy Commissioner noted that Optus cooperated with its investigations and has agreed to conduct a full review of its security measures, in conjunction with an independent auditor.
Optus has not disclosed the total number of customers affected, but provided the following statement on the issue.
Optus takes privacy and security very seriously. We have already taken the following steps to rectify a number of issues that were identified in 2014, including:
- Resolved the issues identified
- Reviewed and enhanced our processes
- Obtained external audits
Optus has cooperated with the Privacy Commissioner and provided an undertaking to obtain an independent external review of its compliance with privacy laws. Affected customers were notified in 2014 and we worked with individuals to address their concerns at that time. We will continue to review our processes and systems to prevent future mistakes.
Optus is not the first to be affected by a major data breach that disclosed customer information. In July 2014, daily deals websitethat exposed customer information, but the company failed to inform its customer base for more than three years.
The incident led to, with Shadow Attorney-General Mark Dreyfus saying it is "likely that there are a number of data breaches which are simply going undisclosed."
But after several years on the backburner, legislation could be much closer with the Parliamentary Joint Committee review on data retention recommending that data breach notification laws be brought in with the introduction of mandatory data retention laws. The Government accepted this recommendation (recommendation 38 of 39) and advised it would introduce a data breach scheme by the end of 2015.