At approximately 1pm on Friday, a customer of Telstra BigPond – Australia’s largest internet service provider – posted on a forum that:
“If you do a Google search for that number [the number for Telstra’s ‘Bundles’ department, 1800 008 851], you get a very interesting result. Um, Telstra, that’s customer information just sitting out on the open Web … That page also seems to suggest that he shouldn’t have given me the number, but should have put me through.”
The customer had been trying to get a discount on a special “bundle” of services. Customers who had opted for the bundled services were the ones being managed within the software system, a customer relationship management program, that was exposed on the Internet.
The forum conversation quickly turned to an exploration of what details were accessible: usernames, passwords, full names, home and mobile numbers and addresses. It appeared the passwords may have been the initial ones issued to customers when their account was set up.
A user sent a complaint to Telstra and it was presumably then that staff at the company realised what had happened.
By 5:20pm, one forum user noted the site had been taken down. By then, access was also blocked to services such as email and account information. BigPond services remained blocked for most users for another 24 hours and when access returned, approximately 60,000 users’ passwords had been reset (including mine).
Telstra users were not notified and would only have found out about the outage if they contacted the help desk or through articles appearing in the Sydney Morning Herald or The Australian.
Resetting a password involved a lengthy wait on the telephone. As of Sunday evening, this was at least 45 minutes and so it appeared Telstra had not deployed any extra staff to handle the consequences of the breach. Whoever was manning the @telstra account on Twitter tried to empathise with customers without being able to do anything meaningful.
Telstra staff were apparently investigating how the site was exposed to the public and would notify the Privacy Commissioner. The fact the system was not password-protected and relied only on the expectation that nobody would discover the web address stretches credulity somewhat.
This is not the first time Telstra has breached customer privacy. In 2010, the company posted 220,000 letters containing account information belonging to customers.
With all incidents such as these, the best a company can hope for it that its customers are understanding. This, to some degree, depends on the company acting quickly to resolve the problem, informing everyone of the details and then moving rapidly to get customers’ issues resolved.
None of which Telstra managed to achieve – it took 24 hours to get services such as email back online.
Customers are being told they will be contacted within two to three days. As one those customers, I received this message on Twitter:
“Really sorry if your details were released. We will be contacting affected customers within the next couple of days to discuss.”
Telstra is seemingly not mobilising extra staff to handle support calls or password resets.
It has not been a good four weeks for large Australian corporations after the Qantas fleet grounding and associated PR gaffes. Telstra has managed to – almost – follow suit in alienating its customers.
The only thing missing in this instance is a Downfall parody.