Through this last year, there has been an increasing number of incidents where customers of high-profile companies have had their identifying data compromised. One of these incidents that put everyone in the IT world “on notice”, especially those involved in consuner-facing IT like ISPs or online services, was the Sony PlayStation Network / Qriocity break-in by LulzSec / Anonymous.
Close to that, I had attended a presentation and interview concerning the security of public computing services hosted by Alastair MacGibbon and Brahman Thiyagalingham from SAI Global, the report which you can see here.
The BigPond incident
Over the last weekend, Telstra had suffered a security breach that compromised the user details of some of their BigPond Internet-service customer base. This was through a customer-service search Webpage being exposed to the public Internet rather than Telstra’s own customer-service network.
The privacy compromise was discovered on Friday 9 December 2011 (AEDT) and mentioned on the Whirlpool forum site. It was in the form of an in-house “bundles” search page exposed to the Web with the database containing usernames, passwords and fully-qualified email addresses of a large number of the customer base at risk.
But Telstra had responded very quickly by locking down the BigPond customer email servers and Web-based self-service front-ends while they investigated the security compromise. The customers whose data was exposed had their passwords reset with them being required to call the BigPond telephone support hotline as part of the process.
As I do maintain an email account through this service for a long time, I had taken steps to change the password on this account. This was even though I wasn’t one of the customers that was subject to the aforementioned mandatory password reset.
Telstra also maintained a live channel of communication to its customers through their own Web sites, through updates to the main media channels and through an always-running Twitter feed. Once the email system was open for business, a follow-up email broadcast was sent to all BigPond customers about what happened.
My comments on how this was handled
Like the Sony PlayStation incident, this incident was one that affected a high-profile long-established brand which, like other incumbent telecommunications-service providers, was in a position where the brand has a bittersweet connotation. Here the brand is associated with a portfolio of highly-established high-quality stable telecommunications services but has had negative associations with poor customer service and expensive telecommunications services.
What I saw of this was that after the Sony incident and similar incidents against other key brands, the IT divisions for Telstra haven’t taken any chances with the data representing their customer base. They had quickly locked down the affected services and forced the necessary password-reset procedures in order to reduce further risks to the customers; as well as keeping customers and the public in the loop through their media, Web and Social-Web channels.
The Telstra incident also emphasised the fact that the risks can come from within an affected organisation, whether through acts of carelessness or, at worst, deliberate treacherous behaviour by staff. As I have said in the previously-mentioned interview and conference article, there needs to be data protection legislation and procedures in place in Australia so that a proper response can occur when these kinds of incidents occur.