Telecom database access privacy concerns

NZPA reports:

A marketing company working for Telecom’s rival, Slingshot, has been accused of accessing the telco’s Wireline database, which contains personal customer information.

Telecom Retail CEO Alan Gourdie said the telco was investigating the accusation of potentially fraudulently activity, detailed in today’s Herald on Sunday.

“If our investigation confirms unauthorised access we will pursue all appropriate action.”

Access to Telecom Retail’s Wireline information requires passwords and pin numbers and should only be accessed by authorised personnel, he said.

While the initial investigation will be on the marketing company’s conduct (and perhaps into possible criminal conduct on the part of several parties), questions must also be asked of Telecom – which Privacy Commissioner Marie Shroff has said she will do.

Regardless of whether a security breach has occurred, even if by the marketing company having acted unlawfully (and neither of these facts are yet established), there are obligations on Telecom (and other “agencies” making data available to third parties) to take reasonable measures to safeguard personal information. This is not limited to preventing unauthorised disclosure, but includes preventing unauthorised access and use. It can also extend to ensuring that systems are properly designed to protect personal information.

The reports do not say how long the alleged improper access went on, but does report that it was “common practice” by multiple staff (now former staff), which suggests a long time frame. The reports indicate that the access was via a single login (now deactivated) of a legitimate user. Questions include:

  • Were user logins (and failed logins) recorded?
  • If so, were they ever audited and how?
  • And if so, why was the improper use not detected?
  • Did the database allow multiple simultaneous logins, and if so was this intended / appropriate?
  • What password expiry regime (if any) was used for this database?
  • What restrictions (if any) were placed on legitimate users to prevent them from disclosing login information?
  • Were there any user warnings / confirmation processes as to appropriate use built into the database?
  • Was only the minimum amount of personal information necessary made available in Wireline in the first place?
  • Are there any other logins for this database, and other Telecom databases, showing unusual activity, which have not been adequately investigated?

Companies can and frequently do provide third-party access to their customer data. While proper contracts can ensure the commercial and legal aspects of these arrangements are appropriately documented, companies holding personal information must still be aware of their inherent obligations under the Privacy Act.