Australian telecommunications company AAPT is now the subject of a rigorous investigation spearheaded by Information Commissioner Timothy Pilgrim, who announced on October 15 that the company failed to adequately protect its customers’ data from hackers.
What’s more, the Commissioner also discovered that AAPT was holding on to old customer records, breaching the act for not properly destroying the sensitive information.
The investigation uncovered that back in July 2012, AAPT’s customer data – stored on a hosted server – was compromised by hackers, and the information was posted online.
“While I appreciate the speed and the way in which AAPT responded to the incident, it highlights the importance of having appropriate security systems and contractual arrangements in place to avoid a breach such as this,’ Mr Pilgrim said in a statement.
“Organisations should ensure that contracts with IT suppliers are clear about which party has responsibility for identifying and addressing data security issues.”
Mr Pilgrim added that in AAPT’s case, more could have been done to ensure the data was protected from hackers. This includes updating all applications and software when new versions are available, rather than sitting on old equipment and programs.
Mobile application security is another area where businesses have plenty of room for improvement when it comes to protecting customer data.
AAPT breached the Privacy Act in several ways
Mr Pilgrim noted that there were several concerning outcomes of the investigation. In addition to the hackers gaining access to scores of consumer data – including personal information about customers AAPT used to verify identities – the company was also holding on to data far longer than it is acceptable.
“It was also concerning that the compromised servers contained old customer information that was no longer needed by AAPT,” he said.
“Holding onto old personal information that is no longer needed does not comply with the Privacy Act and organisations which do so are needlessly placing themselves in a position of risk.”
To help the internet provider boost its security and lower the chances of such a data breach from happening again, the Commissioner offered several bits of advice for the company. This included hosting training for staff members on how to appropriately destroy valuable data and holding a regular security audit of its IT framework.
Shortly after Mr Pilgrim made the recommendations, AAPT implemented them accordingly.