Optus undertakes extensive security review as sanction for “significant” privacy breaches

Number-two telecommunications company SingTel Optus will undergo a wide ranging, independent review of its information-security systems after working with the Office of the Australian Information Commissioner (OAIC) to finalise an enforceable undertaking relating to what privacy commissioner Timothy Pilgrim has called three “significant” breaches of customer privacy last year.

The agreement – the first enforceable undertaking finalised under the major Privacy Act overhaul that came into effect in March 2014 – relates to the mishandling of personally identifiable information (PII) of 122,000 Optus customers who requested to not be listed in White Pages but were listed there anyway; a security hole left open during the deployment of 308,000 modems that left them vulnerable to spoofing attacks by malicious outsiders; and an authentication error that allowed access to certain customers' voicemails without a password.

Pilgrim's investigation concluded that Optus “did not have reasonable steps in place to safeguard the personal information held in its systems at the time the incidents occurred” as per the requirements of Australian Privacy Principle (APP) 11.

The severity of the breach was exacerbated by the fact that each incident affected large numbers of individuals and created “a risk of harm” for those people – particularly those whose details were published in the White Pages listing without their consent.

“In each case, there was a failure by Optus to detect the incidents,” Pilgrim's analysis concluded, noting that the incidents were brought to Optus's attention by third parties.

“This resulted in Optus experiencing substantial delays in taking action to contain each incident, which also prolonged the duration of the risk to affected individuals.”

Noting Optus' cooperation with the OIAC investigation, Pilgrim determined that the best outcome was the negotiation of the enforceable undertaking, which requires Optus to complete a series of reviews and certifications; provide copies of those reviews and certifications to the OAIC; implement any recommendations and rectify deficiencies identified in those reviews and certifications; and to deliver third-party confirmation of the rectification to the OAIC.

The reviews, which must be conducted in accordance with ASAE 3100, an Auditing and Assurance Standards Board standard for managing compliance engagements, will include careful and audited efforts in areas such as penetration testing – which must be conducted on fixed and mobile services, on all major IT projects; and as part of Optus' annual monitoring program.

Optus must facilitate a review of the IT architecture of its 20 most risk-exposed systems that handle storage and handling of personal information, as well as undergoing a review of its new voicemail system and conducting formal incident reviews of the three security breaches.

The company has 5 months to complete a detailed project plan and must engage an auditor to certify Optus's completion within 18 months of commencing its review. Vice president of corporate and regulatory affairs David Epstein will be charged with heading the effort to comply with the enforceable undertaking.

This article is brought to you by Enex TestLab, content directors for CSO Australia.