An investigation by the Australian Privacy Commissioner explores how Telstra ended up placing details of 15,775 customers into a spreadsheet that was indexed by Google and available freely on its web site. That unfortunate experience provides plenty lessons for anyone involved with storing customer data -- an especially important consideration with Australia's privacy principles being strengthened this week.
Leak picture from Shutterstock
The breach was revealed in May last year, but the report into the incident was only released today. As Telstra had already been found guilty of a previous offence in 2011 involving 734,000 customers, it ended up whacked with a $10,200 fine -- though that's still arguably small compared to the reputational damage incurred. An external auditor will review at the end of June whether Telstra has adequately fixed all the problems identified.
Make sure that similar problems don't happen to you (or your employer) by taking note of these guidelines the report highlights.
Monitor your suppliers Telstra's data management had been outsourced to an (unnamed) third party. The big problem came because Telstra wanted some of that customer data to be accessible to resellers and other parties. "Telstra requested its third party provider to extend an access control to enable authorised partners to access Telstra’s retail information via the platform," the report explained. "The third party provider deployed the requested solution on 24 February 2012; this inadvertently turned off the access control, making the source files publicly accessible online." (Telstra has since shifted the operation of that platform in-house.)
Fixing breaches quickly helps. Although the data was exposed in February 2012, Google did not actually index it until June 2012. Had Telstra been more proactively monitoring its deployment, it might have avoided the data being indexed.
Follow the policies you create. This one speaks for itself:
Following the 2011 breach, Telstra implemented an interim process using a 'Security Approval mailbox', to ensure that any changes to the platform would be reviewed by Telstra's security team in order to mitigate the known risks. However, this process was not followed. Information from Telstra indicated that this was a key contributing factor to the data breach.
Processes are meaningless if you don't follow them. One key to making that happen? Ensure they include reporting requirements. It's harder to ignore a process when you have to report on how frequently it is carried out.
Set your robots.txt files correctly Not everything on your site needs to be indexed, and the robots.txt file instructs Google (and other services) not to index specific areas. Telstra forgot to do this:
Telstra (or the third party provider, on Telstra's behalf) did not effectively configure its website to request search robots such as Googlebot (via the robots.txt file) not to index, archive or cache the data on parts of the website not intended to be publicly accessible. Correctly implementing the robots.txt command would have significantly limited the discoverability of the compromised personal information, and may have prevented access by unauthorised persons.
If you've messed up once, proceed with caution. Mistakes happen, but once they have happened, you need to be even more vigilant. Not doing so may place you at risk of breaching privacy principles:
At the time of the data breach, Telstra was undertaking a remediation program in response to the 2011 breach involving the platform. The remediation program included decommissioning the third-party provided platform to an internal solution and remedying deficiencies in Telstra’s data management and security governance framework. In this regard, the Commissioner found that Telstra was operating in a heightened risk environment, and that Telstra was required to take steps that were reasonable in light of that risk environment.
Make sure you review policies regularly. Privacy commision Timothy Pilgrim summed up the issue in the announcement of the report: "There is no 'set and forget' solution to information security and privacy in the digital environment. Organisations need to regularly review and improve security systems to avoid data breaches." Set specific appointments in your calendar to make sure those reviews are carried out.
Test whether security systems still work. Remarkably, Telstra didn't think this was necessary:
Telstra also stated that once a particular access control is implemented in a secure state, there is no need to undertake on-going testing. The Commissioner disagreed on the basis that there is no 'set and forget' solution to security and privacy in the digital environment. As network and other vulnerabilities arise, and as programs and platforms are amended or updated, what is secure at a particular point in time can become subject to a vulnerability at a later date.
The bottom line? If you don't check your systems, patch them and adjust them, a breach is inevitable. Don't make that mistake.