AAPT breached Privacy Act
Privacy Commissioner Timoth Pilgrim has found that AAPT breached the Privacy Act. Photo: Michele Mossop
Australian internet service provider AAPT breached the Privacy Act for failing to adequately protect customer data from unauthorised access, an investigation by the privacy commissioner has found.
In a ruling handed down on Tuesday afternoon, the Commissioner also said AAPT failed to comply with its obligation to destroy or permanently de-identify information no longer in use.
But commissioner Timothy Pilgrim was unable to impose any penalties as current privacy laws do not give him that power. This will change in March next year, when amendments will give his office the power to fine those who negligently breach peoples' privacy up to $340,000 for individuals and $1.7 million for corporations.
An image Anonymous Australia uses in a YouTube video explaining why it did the AAPT hack.
The commissioner's findings relate to an incident in July 2012, when AAPT customer data held on servers hosted by IT contractor Melbourne IT was hacked and published online.
Hackers from Anonymous published the information – which in some cases included AAPT client mobile phone numbers – to highlight the dangers of a proposal to force telcos to store every Australian's web history for up to two years. The hackers said storing sensitive details – such as web history – in a database could result in groups like it hacking the database and leaking the information.
"While I appreciate the speed and the way in which AAPT responded to the incident, it highlights the importance of having appropriate security systems and contractual arrangements in place to avoid a breach such as this," Mr Pilgrim said.
AAPT CEO David Yuile. Photo: Nic Walker
"Organisations should ensure that contracts with IT suppliers are clear about which party has responsibility for identifying and addressing data security issues."
Mr Pilgrim added that more should have been done to appropriately manage and protect the information.
"Using older versions of applications and software when newer versions are available is a risk that needs to be actively managed, particularly when personal information is involved," he said.
According to the commissioner's office, the compromised server held websites and databases that included personal information about AAPT business customers used to verify their identity and provide a quoting and billing system for AAPT sales staff. The information included that which was collected for the purpose of obtaining credit reports of AAPT business customers and information used for the purpose of transferring telephone numbers from other carriers, it said.
"It was also concerning that the compromised servers contained old customer information that was no longer needed by AAPT," Mr Pilgrim said.
"Holding onto old personal information that is no longer needed does not comply with the Privacy Act and organisations which do so are needlessly placing themselves in a position of risk."
The commissioner made a number of recommendations that AAPT has now implemented. They include implementing regular training for staff in relation to data retention and destruction, ensuring all IT applications are subject to vulnerability assessment and testing, ensuring effective lifecycle management and conducting regular audits of AAPT's IT security framework.
The ruling follows a survey released last week that said Australians were more concerned about their privacy than ever before. An overwhelming 97 per cent of respondents believed their personal information was misused when collected for one reason and used for another.
This reporter is on Facebook: /bengrubb