Telstra confirms customer data breach

Telstra confirmed to ZDNet Australia yesterday afternoon that the only details that could be sighted without the need to log-in were the name, address and account number of a customer. But afterwards, it was confirmed that a customer account holder's date of birth (DOB) could also be seen.

The form customers were asked to fill in (Screenshot received by ZDNet Australia)

"In light of what's been found out, it wasn't until ZDNet came to us that further checks revealed that it could be possible [to see a customer's DOB]," Telstra spokesperson Rod Bruem said.

A source who was one of Telstra's business customers said that the information that was available could potentially be used to sign up accounts under another company's name.

The source had received a letter in the post — accompanying Telstra's Business Brief newsletter and "I.E." magazine — which included a unique URL that encouraged users to sign up to Telstra business' online services portal.

To entice customers to sign up, the letter said Telstra had "already filled in the information we have on record". A further enticement was the fact that the customer could win a BlackBerry Bold.

To sign-up, customers were asked to enter the unique URL into their browser. When a customer typed the URL into their web browser it would bring up a form that had already been pre-populated with data. The customer said he was able to change the URL and find account information, such as name, address and account number of other users. There were around 500,000 customers. If the customer had filled in their form in the wake of receiving the promotional letter, their date of birth would also have been accessible. There were 700 of these.

Telstra confirmed that that the web form had been "pre-populated" with data and said that the promotional website had since been shut down, even before the Blackberry Bold competition had finished.

The Telstra business customer said that it was only after he made his complaint public that it was addressed by Telstra. It was made public on broadband forum Whirlpool, where he eventually disclosed the URL (now removed) that could be changed to reveal customer's data.

At first the Telstra business customer was reluctant to reveal the URL on the forum, but after waiting a few days after contacting Telstra he decided to make it public. It took five days for the site to get taken down. Bruem was unable to say why it took that long to get fixed.

Currently, an error page directs users to the standard sign-up page for Telstra business' online services instead of the promotional page sent in the letter to customers.

Bruem told ZDNet Australia that the firm that built the system, which he would not name, had confirmed to him that the dates of birth of customers was able to be seen, if they had filled in the form.

"I've got back to the firm that works for us in doing these sorts of things — and this one in particular — and they've done further checks today and they have confirmed what you have put to me: that it was indeed possible to view personal information by going in and seeing a pre-populated form that had been filled-in in the way you described," Bruem said.

"Telstra considers privacy to be one of our most important business principles, so when a process such as this potentially discloses personal information it is a serious concern."

He said it was "too early" to say what further steps would be taken in terms of alerting customers to the data breach.

"Apart from what's already happened and what's already been done, as soon as we were aware of even of the small amount of information potentially getting out we took it off," he said.

Bruem said Telstra would be reviewing its policy in relation to unique URLs that could be changed easily to reveal other accounts and that the company would "be making checks to make sure that any such forms in future are rigorously tested and are not able to be abused in this way".

A recent study found only a third of companies that experience data breaches notify customers promptly. Australia is still waiting on the introduction of data breach notification laws.