Yesterday, the OAIC and ACMA revealed that data for these customers had been freely available online between February 2012 and May 2013, including information associated with 1,257 silent line customers.
The Australian operator has been fined an estimated A$10,000 ($9,000) for breaching privacy laws.
The breach is Telstra’s second offence in recent years – despite confirmation after a previous leak that the company had since made significant investments in its system controls – and raises concerns about the company’s security practices.
Telstra reportedly contacted the ACMA when a journalist told the company that names, phone numbers and address of its customers were accessible online.
The OAIC then investigated Telstra and although it confirmed that the company had made steps to disable all public access links to the data, it had failed to permanently de-identify the leaked information.
A statement from the OAIC said: “Following the breach, Telstra agreed to undertake a number of actions, including exiting the software platform on which the incident occurred, establishing a clear policy for central software management, and reviewing contracts with third parties in relation to personal information handling.”
As well as the A$10,000 fine, Telstra will also have a third-party auditor brought in to ensure that the company rectifies the issue by June 30 2014.
“This incident provides lessons for all organisations – there is no ‘set and forget’ solution to information security and privacy in the digital environment,” said privacy commissioner Timothy Pilgrim. “Organisations need to regularly review and improve security systems to avoid data breaches.”