Tuesday, 22 November 2016

Have an Optus, Vodaphone or Telstra mobile phone account? Your personal details may be on sale in Mumbai

The Sydney Morning Herald, 16 November 2016:

Corrupt insiders at offshore call centres are offering the private details of Australian customers of Optus, Telstra and Vodafone for sale to anyone prepared to pay.

A Fairfax Media investigation can reveal Mumbai-based security firm AI Solutions is asking between $350 and $1000 in exchange for the private information, but even more if the target is an Australian "VIP, politician, police, [or] celebrity".

AI Solutions is just one of potentially several private companies selling phone records, home addresses and other private details of Australian telecommunication company customers. They in turn have received the information from employees of the call centres used widely by Australian businesses.

Security industry sources said the practice has been long-standing. AI Solutions has told customers it has sold people's personal data for several years.

Optus has called in the federal police to investigate the data breach after it was contacted by Fairfax Media.

Optus, Telstra - which is holding an investor briefing in Sydney on Thursday - and Vodafone have stressed they are aware of the problem and have invested heavily in security procedures to counter it.

The revelation underscores the risks facing Australian consumers and businesses as a vast amount of personal or private data is collected and often stored offshore by service providers, financial institutions and government agencies.

It also raises fresh concerns about risks faced in using offshore call centres, where it may be more difficult to ensure data security.

AI Solutions actively markets its services to prospective Australian clients via an Indian businessman who uses the name Imran Khan. It is unclear if this is a false name.

But Fairfax Media has confirmed that AI Solutions has previously, and on numerous occasions, sold Australians' personal data to third parties.

It recently wrote to a Melbourne corporate intelligence and security company, boasting that it has a "long list" of Australian clients buying data from the offshore call centres.

"There are … 3 major telecom numbers details I can provide you. Telstra, Vodafone and Optus," the Indian company's representative wrote in a text message to a prospective client seen by Fairfax Media.

The company charges $350 to provide a person's home address and charges $1000 for a "full extract". This includes a person's home address, date of birth, alternative phone numbers and "more than 1 years billing statements" and "calling data history".

"And for VIP, politician, police, celebrity, charges are different," one message said.

While the data being illegally sold will not contain the actual content of text messages or what has been said during phone calls, it does contain information about who a person has called, the location at which a call is made and other sensitive data and metadata.

This information could be of use to companies engaged in corporate spying or intelligence gathering, private investigators, marketing firms and organised criminals seeking to engage in identity fraud, or to locate people. It is possible that foreign intelligence services could also use the data theft service.

The Indian firm requests payment via Western Union or Money Gram remittance services……

The Australian Federal Police said it had spoken with Optus and Vodafone and had subsequently provided information to Indian authorities.

Office of the Australian Information Commissioner, media release, 17 November 2016:

Statement by the Australian Information and Privacy Commissioner, Timothy Pilgrim, on personal information of Australian telecommunication customers

17 November 2016

I am concerned about allegations that personal information of Australian telecommunication customers is being offered for sale online. My office is making enquiries with Optus, Telstra and Vodafone to determine what further action I may take in this matter.

These allegations, and the community response they have generated, are a reminder that Australian customers expect businesses to handle their personal information in line with Australian law no matter where they operate. 

If anyone has privacy concerns about this incident they can contact my office on 1300 363 992 or enquiries@oaic.gov.au.

No comments: