Telstra customers exposed by data breach

By Asher Moses and Ben Grubb
Updated November 6 2012 - 2:55am, first published December 9 2011 - 5:15am
A screenshot of the Telstra system, which as of 4.20PM Friday was accessible to the Mercury.
A screenshot of the Telstra system, which as of 4.20PM Friday was accessible to the Mercury.

Detailed information about Telstra's customer accounts - including usernames and passwords - has been found to be sitting on the open web for anyone to access via a Google search.A user of the Whirlpool forum discovered the "Telstra Bundles request search" page after doing a web search for a Telstra customer support phone number they were told to contact.Anyone who visits the page can search Telstra's customer database based on the customer's last name, account number, sales force ID or reference number.They are then presented with detailed information outlining the customer's account number, what broadband plan they're on, what other Telstra services they're signed up to and notes associated with the customers' accounts including in many cases their usernames and passwords.There are also other details about technician visits, SMS messages sent to private mobile numbers and credit check details.Ironically, a warning at the top of the page warns: "Information entered into or derived from this webform is Customer Data and Confidential Information and must not be used for any other purpose than to review the status of a customer's Bundle order."Comment is being sought from Telstra. It is not yet clear how many accounts were exposed.Ty Miller, chief technology officer at security firm Pure Hacking, declined to comment as Telstra is a Pure Hacking client.It's not the first time Telstra has leaked customers' information online. In October last year this website reported that Telstra was being investigated by both the communications and privacy watchdogs after it sent out 220,000 letters that contained account information belonging to other customers.The company also breached the privacy of people using its social media service Tribe in November of the same year.Another breach in April 2010 saw the telco leak the personal information, such as the name, date of birth, address and account number of about 700 customers.

Subscribe now for unlimited access.


(min cost $0)

or signup to continue reading

See subscription options

Get the latest Wollongong news in your inbox

Sign up for our newsletter to stay up to date.

We care about the protection of your data. Read our Privacy Policy.