The scale of a Telecom security breach is becoming apparent with hundreds of thousands of customers at risk of having had their personal details searched.
Sales staff working for commercial rival Slingshot have told the Herald on Sunday they would use Telecom’s Wireline database more than a thousand times on some days.
The Privacy Commissioner’s office has also announced an investigation:
“At this early stage we understand from Telecom that the security breach related to the login details for one Telecom dealer and that login has since been deactivated,” said Ms Evans.
“We will need to investigate further to find out how this happened and whether Telecom needs to make any improvements to its data security practices to adequately protect customer information.”
A key question is how can one login be used sometimes more than than a thousand times a day, over a multi-year period, without being detected?
A criminal investigation is also likely. Possible charges for improperly accessing a database include:
- Accessing a computer system without authorisation (section 252 Crimes Act); and
- Accessing computer system for dishonest purpose (section 249 Crimes Act).
For criminal charges to stick, there must be the necessary criminal intent. A staff member who was told to use a database, and innocently did so with no idea that their access was not authorised, cannot be liable. Knowledge of improper access, or “reckless disregard”, is key.
The Privacy Commissioner’s office has also warned against the use of confidentiality agreements as “window dressing” for proper privacy protection. A confidentiality agreement cannot absolve third-party liability, but most of them do contain indemnity clauses, which can allow full (or nearly full) recovery of all losses and costs arising from a breach in appropriate circumstances.