Telstra breached the privacy of 15,775 customers when their information was made publicly available on the internet between February 2012 and May last year.
The breach was first revealed by Fairfax Media in May last year after Lee Gaywood, 31, of Chelsea Heights in Victoria, found spreadsheets containing the data accessible to anyone online with a Google search. Data discovered included customer names, telephone numbers, account passwords and, in some cases, home and business addresses.
It prompted action by Telstra and the Office of the Australian Information Commissioner over the incident, which included information on 1257 active silent line customers.
Australian Privacy Commissioner Timothy Pilgrim found Telstra breached three existing National Privacy Principles when it failed to take reasonable steps to: ensure the security of personal information it held; destroy or permanently de-identify the personal information it held; and prevent disclosure of personal information other than for a permitted purpose.
Following the breach, Telstra agreed to take several actions, including replacing the software platform on which the incident occurred, and reviewing contracts with third parties relating to handling personal information.
Mr Pilgrim recommended Telstra engage an independent third-party auditor to certify it had implemented the planned rectifications and report back by June 30.
"This incident is a timely reminder to all organisations that they should prioritise privacy. All entities bound by the Privacy Act must have in place security measures to protect personal information," Mr Pilgrim said.
When the breach occurred last year, Telstra said the records had been downloaded at least 166 times. The telco took immediate steps to disable all public links to the source information and contact affected customers.
Based on the findings of the Privacy Commissioner, the Australian Communications and Media Authority found Telstra contravened the Telecommunications Consumer Protections Code and failed to comply with a previous direction to comply with the code, issued following another breach. Telstra paid an infringement notice of $10,200 for failing to comply with the direction.
The Privacy Commissioner also recommended that Telstra review its document retention policy to ensure it meets the requirements of the new Australian Privacy Principles; new privacy legislation which comes into effect on Wednesday, March 12. It gives new enforcement powers for the commissioner, who will be able to fine companies up to $1.7 million.
A Telstra spokeswoman said the company took "customer privacy and data security very seriously. It is unacceptable for customer information to be publicly visible and we have apologised to the people affected last year."
She said the company has stopped using the RightNow platform and made significant investments into more stringent controls around its systems.
"We accept the view that a problem with one of our IT platforms meant some basic customer details, such as names and addresses, were visible online for around 15,000 people. We will now engage an independent third-party auditor to certify we have implemented the steps we committed to with the Privacy Commissioner."
It is the third report Mr Pilgrim's office has published on Telstra. It previously investigated the leaking of personal information of 734,000 customers online in December 2011; and a mailing list error which resulted in 220,000 letters being sent to incorrect addresses in October 2010. The telco was also reported to have breached customer privacy twice in 2010 and in May 2013 last year concerning details of 35,000 Bigpond Games customers.