Optus to review information security after privacy snafu

Optus has submitted an enforceable undertaking to Australian Privacy Commissioner Timothy Pilgrim which commits it to an independent review of its information security systems.

The telco also has to implement any recommendations following the review.

Optus made the commitment due to three privacy incidents which were investigated by Pilgrim in 2014.

In February 2013, Optus made a change to its website. Due to a coding error that occurred during this change, Optus customers who completed a rate plan change via the website had their White Pages listing preference changed from No to Yes. As a result, the names, addresses and mobile phone numbers of 122,000 Optus customers were listed online with consent.

The telco was made aware of the issue in April 2014.

The second incident involved Netgear and Cisco modems. Optus left the management ports for these models of modems open because it assumed they were only accessible for network management purposes. In addition, Optus issued 197,000 of the Netgear modems and 111,000 of the Cisco modems to its customers with factory default settings, including user default names and passwords in place.

On 4 April 2014, Optus closed off the vulnerability by implementing access controls and modifying configuration files on its modems.

The third incident involved voicemail information. Between September 2013 and 13 May 2014, a flaw in Optus’s security processes led to some customers not being prompted for their password when attempting to retrieve voicemail information from outside the Optus network. This meant an unauthorised party could potentially access and use customer voicemail accounts messages.

Pilgrim said he was concerned that Optus may not have taken reasonable steps to secure the personal information it held, as required by Australian Privacy Principle 11 which covers the security of personal information.

“Organisations and agencies need to take reasonable steps to protect the personal information of customers. If personal information is compromised, I encourage organisations and agencies to notify affected individuals and the OAIC, where there is a real risk of serious harm to an individual,” he said in a statement.

According to Pilgrim, this is the first enforceable undertaking made under the Privacy Act reforms which came into effect on 12 March 2014.

Optus corporate and regulatory affairs vice president David Epstein said that the company takes privacy and security very seriously.

"We have already taken the following steps to rectify a number of issues that were identified in 2014, including resolving the issues identified, reviewing and enhancing our processes and obtaining external audits," he said.

He added that Optus has co-operated with the Privacy Commissioner and provided an undertaking to obtain an independent external review of its compliance with privacy laws.

"Affected customers were notified in 2014 and we worked with individuals to address their concerns at that time. We will continue to review our processes and systems to prevent future mistakes," said Epstein.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia