Telecommunication giant Telstra has been fined $10,200 for breaching the privacy of 15,775 customers whose information was accidently made publicly available online for 15 months.
In May of last year, Telstra and The Office of the Australian Information Commissioner (OAIC) were alerted to the publically available customer information spreadsheet by a 31 year old man from Victoria who found them via a Google search. Among the 15,775 customers were 1257 active silent phone line customers.
OAIC and the Australian Communications and Media Authority (ACMA) launched an investigation into the breach and, almost a year later, have handed down their report which contains a range of recommendations and a fine of $10,200.
This is one of many recent investigations conducted by the OAIC since 2009 into Telstra’s conduct with a 2011 information leak of 734,000 customers and incorrect mail sent to 220,000 addresses in 2010 topping the lists of breaches.
Read more from www.abc.net.au.
Read more form www.oaic.gov.au
In handing down their findings, the OAIC and ACMA noted that Telstra had failed to comply with directions over a previous code breach, yet believe a $10,200 fine will be a strong enough encouragement to prompt Telstra to operate within the codes going forward.
The size of the fine handed down is a joke. For a company of Telstra’s size, a fine of $10,200 would be similar to fining an individual $0.001. This isn’t even a slap on the wrist and, when you consider the resources which would have been spent investigating this breach, it makes no sense.
This isn’t Telstra’s first privacy breach either. The information of 734,000 Telstra customers was publically available online from March to December of 2011, including usernames and passwords of 41,000 customers. Telstra was involved in another breach last year, which affected 35,000 Bigpond Games customers.
So, why do big businesses keep getting away with it? Up until yesterday, the national laws in place surrounding information privacy were not strict enough to properly enforce world-leading privacy practices. New law changes, which came into effect yesterday, grant new enforcement powers to the Australian Privacy Commissioner, including the ability to fine companies up to $1.7 million. Disappointingly, for a company of Telstra’s size, $1.7 million is just a parking fine.
What do you think? Are companies being too reckless with your private information? Should Telstra have been fined more for its repeat breach? Should penalties be based on the seriousness of the breach and a per cent of that company’s income, rather than set maximum amounts?