Australian Telecom Firm Leaks Data of 130,000 Customers'We're Sorry It Occurred, and We Know We Have Let You Down,' Telstra CFO Says
Australian telecommunications provider Telstra apologized for accidentally publishing names, numbers and addresses of over 130,000 customers whose details were supposed to be unlisted. The company apologized for the error and blamed a "misalignment of databases."
"We're in the process of communicating to some unlisted customers whose details were incorrectly made available via Directory Assistance or the White Pages," the company said in a Friday statement.
A spokesperson for Telstra was not immediately available to provide additional details.
A report by The Sydney Morning Herald claimed that the breach spanned a period of years.
Telstra Chief Financial Officer Michael Ackland said that the company is removing the identified affected customers from the "Directory Assistance service and the online version of the White Pages."
Ackland said the company has partnered with cybersecurity support service IDCARE, a nonprofit organization that specializes in identity theft and crisis management, to develop a response plan and offer affected individuals personal support throughout the process.
"We are conducting an internal investigation to better understand how it happened and to protect against it happening again," Ackland said.
The leak comes on the heels of Telstra's disclosure in October of a "minimal risk" data breach. That incident came just weeks after rival Optus underwent a major cybersecurity incident (see: Another Telco Breach Rocks Australia).
Australia's largest network provider attributed the breach to the provider of a now-obsolete employee rewards program.
Australian website news.com.au said up to 30,000 past and present Telstra employees appear to be in the leaked data set. Of these, nearly 12,800 are still employed with Telstra, the online news site reports.
Telstra says it has already informed the authorities and its current employees about the breach.
Reports of scams related to the leaker are already surfacing. According to a Twitter post by @SallyRMelb, scammers are pretending to be IT support in order to further breach the affected customers.
Another tweet claims confusion over the use of one-time codes for authentication: "When contacting @Telstra customer care, the support staff compels us to provide the OTP received, but #Telstra message says NOT to do so. For a layman, it is unclear what can be done with the OTP by the Support Staff? Or is it a valid process, but #Telstra got the message wrong?"
When contacting @Telstra customercare, the Support Staff compels us to provide the OTP received, but #Telstra message says NOT to do so. For a layman, it is unclear what can be done with the OTP by the Support Staff? Or is it a valid process, but #Telstra got the message wrong? pic.twitter.com/Di7ujPEGvt— Yuthan Balaji K (@iamyuthan) December 11, 2022
Last year, a ransomware gang stole SIM card data and banking information in an attack on Schepisi Communications, a service provider to Australian telecommunications company Telstra (see: Ransomware Hits Australian Telecom Provider Telstra’s Partner).
Ironically, a former Telstra executive is helping to craft the country's cybersecurity policy. The Australian government is developing a new national cybersecurity strategy, and the project will be led by former Telstra CEO Andrew Penn; Rachael Falk, CEO of the Cyber Security Cooperative Research Center; and Mel Hupfeld, a retired senior officer of the Royal Australian Air Force (see: Australia Aims to Be World's 'Most Cyber-Secure' Country).