The usernames, passwords, home addresses and full names of 60,000 Telstra bundle customers have been available online for anyone with the correct link to download, due to Telstra hosting sensitive data on a private database with no security protocols. While ex-employees of Telstra may have known the link, it was made public on Friday when a user of popular Australian community forum Whirlpool googled his own phone number and stumbled upon the database which seems to have recently been ‘indexed’ and put onto the map by Google.
Even more troubling is the fact that the same server hosted forms which could have allowed users to administer BigPond email addresses, including transferring them between accounts.
The ‘Telstra bundles request search’ tool was taken down one hour after the security breach hit the mainstream media websites on Friday and BigPond services remained blocked for most users for 24 hours. When access returned for BigPond customers, Bundle plan users’ passwords had been reset.
It beggers belief, but Telstra users were not notified and wouldn’t have known about the problem unless they contacted the help desk or found out about it through media outlets.
Vodafone was hit with a similar privacy breach earlier in the year when it was revealed Vodafone employees were using the same username and password to access customer information online, which meant there was little to no tracking processes in place to prevent misuse of the system.
Will you be considering a change of provider after such a privacy breach?