Optus, the second largest telecommunications company in Australia, has agreed to an independent audit of its information security systems following three separate privacy breaches.
The incidents occurred between 2008 and 2013. In each case, the company was alerted to the breaches by third parties.
The first breach involved the telephone directory that is listed on the company’s website. Following an update in February 2013, Optus accidentally published the names, addresses, and phone numbers of some 122,000 customers who elected to not have their details published online. According to a subsequent investigation, a coding error changed these customers’ preferences without their consent, causing their personal information to be published on the company’s website and in several print editions of White Pages.
The second incident pertained to Netgear and Cisco modems that Optus had deployed to 197,000 and 110,000 customers, respectively, since 2008. In order to administer the cable modems remotely, the company deliberately chose not to change the devices’ manufacturer passwords. This left hundreds of thousands of customers vulnerable to fraudulent calls by third parties.
Optus did not discover the flaw until April 2014, at which point it closed off the vulnerability.
The third and final breach exposed customers to spoofing attacks when a flaw in Optus’ security processes failed to prompt customers for their passwords when they tried to access their voicemails outside the Optus network. This flaw could have allowed attackers to access customer accounts and change their preferences.
Optus’ decision to accept an independent audit of its security systems follows an investigation conducted by the Australian Privacy Commissioner Timothy Pilgrim, who began looking into the breaches after Optus notified him of the incidents in July of 2014.
In a release published on its website, Pilgrim states that the company’s decision, to which he refers as an “enforceable undertaking,” officially finalizes his investigation.
“I appreciate the positive way in which Optus worked with our Office to address these incidents. I consider that the enforceable undertaking is an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act.”
News of Optus’ decision comes a day after the Australian Senate voted in favor of legislation that will require telcos and ISPs to store their customers’ data for two years.