On Friday, an unsecured search page left account information for Telstra users completely accessible to anyone who cared to look. The breach was discovered by a Whirlpool user, who came across it simply by searching for a “Bundles” support number on Google provide to him by a customer service representative.
Telstra was quick to shut the page down, along with its email network, which was shuttered for close to 24 hours, according to reports.
While it was active — and at this stage no one is sure who long the page was unsecured for — it was possible to search for customer names, plan details and usernames, comments on specific users and even passwords.
The leak was first identified — almost by accident — in this post on the Whirlpool forums, but it has since spawned its own discussion thread.
The Australian reported that credit card details were also available, but was unable to confirm it, while SMH is saying that credit card data was not only encrypted, but not displayed. Hopefully we’ll have clarification on this point in the near future.
A story regarding the incident in the Sydney Morning Herald states that Telstra is investigating the issue and will make the Privacy Commissioner aware of the details. If the Commissioner’s views on the Sony data breach from earlier this year are anything to go by, Telstra had best do it sooner rather than later.
It appears some 60,000 account passwords were reset, but I’m sure we’ve yet to find out the full ramifications of the breach. Let us know if your password was reset, or Telstra has been in contact personally regarding the breach.
[SMH, with The Australian and Herald Sun]
[Thanks to everyone who sent in tips]