Oops: Google search reveals private Telstra customer data

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.theage.com.au/it-pro/security-it/oops-google-search-reveals-private-telstra-customer-data-20130516-2jnmw.html

The personal information of thousands of Telstra customers has been
found online using a Google search.

Lee Gaywood, 31, of Chelsea Heights in Victoria, contacted Fairfax
Media about the information being freely accessible to anyone online
after conducting a specific Google search that turned up Telstra
spreadsheets.

The owner of marketing business SMS Broadcast, Mr Gaywood said he
found the data when he was searching Google for telco carrier access
codes, which he needs to know for his SMS service to work.

Data discovered included customer names, telephone numbers and in some
cases home and business addresses.

"I couldn't really believe what I was looking at when I found the
data," Mr Gaywood said. "I've worked in telcos before and I know that
this sort of data should be kept very private and customers would
expect it to be secured."

He said he stumbled across the data after entering into the Google
search field "Telstra" and two other search terms, which Fairfax has
chosen not to name as the spreadsheets may still be cached on Google's
search engine.

Telstra took the files offline after being notified of the breach by
Fairfax at about 4pm on Wednesday.

Fairfax found approximately 1677 customer records in one of the
spreadsheets, which contained Telstra customers' names, phone numbers,
plan names and home addresses. A further three spreadsheets contained
8201 customer records that contained only names and telephone numbers,
but not home addresses.

The spreadsheets also contained internal Telstra reference numbers
relating to customer accounts. Other internal Telstra training
documents were also found online via a similar Google search to Mr
Gaywood's.

The data appeared to be hosted on a server not belonging to Telstra
but a third-party it uses.

Telstra executive director of customer service, Peter Jamieson,
thanked Fairfax for alerting it to the issue. He said the breach was
"concerning" and that the data should not have been in the public
domain.

"This is unacceptable," Mr Jamieson said. "We take very seriously the
confidentiality of our customers' information and we will take all
steps to ensure we protect that information. [I'm] very disappointed
about the fact that we have made available information about our
customers on this occasion."

Telstra was investigating exactly how the data was made available
outside of its network, he said.

He added that the data appeared to be in some cases several years old
but that it didn't excuse it to be online.

Mr Jamieson has since published a blog post explaining the breach.

Australian IT security researcher Troy Hunt said some of the customers
whose telephone numbers were listed in the spreadsheets may have had
silent numbers which they would have wanted to have been kept private.

He said the customer data could potentially be used by someone with
malicious intent to socially engineer, or trick, a Telstra call centre
representative into disclosing more customer information.

For example, the data could enable a person to "establish
authenticity" with a Telstra call centre, Mr Hunt said, especially
considering the data confirmed a person was a customer and also
revealed what plan they were on.

Comment is being sought from the Office of the Australian Information
Commissioner, which polices data breaches in Australia.

Telstra's data breach record

Telstra hasn't had the best track record for keeping customer
information private and has had a number of customer data breaches in
recent years. The number of privacy breaches it has had prompted its
CEO, David Thodey, to email all staff in July last year telling them
thatbreaches "must not happen again".

He said breaches were affecting the telco's reputation and said staff
should inform their manager "as a matter of urgency" should they have
concerns with anything that threatens the privacy of Telstra's
customers.

In December 2011 an internal Telstra portal containing the details of
almost 800,000 customers was found to be exposed on the public
internet without password protection. The telco was also criticised in
July 2012 for sending without permission to a company in Canada the
URLs that its Next G network customers visited. In November 2010
another 3000 customers' data was breached.

In April 2010 another Telstra breach exposed details of about 700
customers and in November 2010 another 3000 customers had their data
exposed. In October 2010 another breach involved the telco botching a
mail merge by sending out 220,000 letters containing account
information belonging to other customers.

More recently, in May 2013, another breach, concerning about 35,000
customers, affected BigPond Games account holders.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.