An investigation by Australian Privacy Commissioner, Timothy Pilgrim, has found that AAPT breached the Privacy Act by failing to protect customer data from unauthorised access.
The internet service provider also breached the Act by not destroying customer information that was no longer used
In July 2012, AAPT customer data held on servers hosted by IT contractor Melbourne IT, was hacked and published online by members of Anonymous.
The compromised server held a series of websites and databases that included personal information about AAPT business customers used to verify the identity of customers. This information was collected for the purpose of obtaining credit reports of AAPT business customers and transferring telephone numbers from other telecommunications carriers.
AAPT CEO David Yuile said at the time that two files were compromised and the data was historic, with limited personal customer information.
- AAPT cops formal warning from ACMA
- AAPT, NetApp extend partnership to cloud services
- AAPT subject of data breach
In his report, Pilgrim said that “more should have been done” by the company to manage and protect customer information.
“Using older versions of applications and software when newer versions are available is a risk that needs to be actively managed, particularly when personal information is involved,” he said in a statement.
“It was concerning that the compromised servers contained old customer information that was no longer needed by AAPT. This does not comply with the Privacy Act and organisations which do so are needlessly placing themselves in a position of risk.”
Pilgrim added that companies should ensure contracts with IT suppliers are clear about which party has responsibility for identifying and addressing data security issues.
He made a number of recommendations to AAPT including regular training for staff about data retention, ensuring all IT applications are subject to vulnerability assessment and conducting regular audits of AAPT’s IT security framework. The company has implemented the recommendations.
Follow Hamish Barwick on Twitter: @HamishBarwick
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.