3rd Party Risk Management , Breach Notification , Governance & Risk Management
Another Telco Breach Rocks AustraliaTelecommunication Giant Telstra Says It Was a Small Data Breach
Australian telecommunications provider Telstra said Tuesday it suffered a "minimal risk" data breach just weeks after rival Optus underwent a major cybersecurity incident.
Telstra, Australia's largest network provider, attributed the breach to the provider of a now-obsolete employee rewards program.
"There has been no breach of Telstra's systems. And no customer account data was involved," the company says. A hacker using the handle PwnSec posted Telstra information to the same online forum where someone last week published two samples of data taken from Optus (see: Optus Under $1 Million Extortion Threat in Data Breach).
PwnSec attributes the stolen data to My Rewards, a website that connects brands with shoppers. Appearing in the publicly viewable portions of the dataset are emails that correspond to the web domain of National Australia Bank, one of that country's Big Four lenders. The bank did not respond to an inquiry from Information Security Media Group.
Reinforcing its message of minimal risk to the public, Telstra sent a series of tweets emphasizing that none of its systems or networks were breached and stating that the affected data is limited to the first and last names and email addresses of employees from 2017.
Australian website news.com.au says up to 30,000 past and present Telstra employees appear to be in the leaked data set. Of these, nearly 12,800 are still employed with Telstra, the online news site reports.
Telstra says it has already informed the authorities and its current employees about the breach.
In an email sent to Telstra employees reported by news.com.au, Alex Badenoch, the company's group executive for transformation, communications and people, characterized the leak as an opportunistic attempt to profit from the tense climate created by the Optus breach.
Optus, in a Monday update, said only 2.1 million individuals of the 9.8 million affected by the data breach had their identity card number wrapped up in the incident.* "7.7 million customers do not have to take any further action [while] 2.1 million customers have had an identity document number exposed where they may need to take an action," said Optus CEO Kelly Bayer Rosmarin.
*Correction Oct. 10, 2022 21:13 UTC: Clarifies that the number of individuals affected by the breach remains at 9.8 million, although only 2.1 million had their identity card number potentially exposed.