Circles.Life has paid around $300,000 after the ACMA declared the Aussie telco failed to undertake required customer identity checks.
Customer identity checks are important; they play a large part in preventing scammers from pretending to be someone else. Cracking down on phone scams has been a big focus for the Australian Communications and Media Authority (ACMA). It introduced rules back in 2020 that required second steps, such as multi-factor identification, to prevent fraud.
Where the ACMA finds non-compliance, telcos can expect strong action including potential commencement of Federal Court proceedings and pursuit of significant civil penalties.
The ACMA said it was actually its work on fighting phone scams that led to telco Circles Australia Pty Limited paying a $199,800 infringement notice.
The ACMA said Circles.Life failed to undertake required customer identity checks. It found 1,787 contraventions of industry rules for phone number transfers using Circles.Life SIMs purchased from retail stores between August and December 2021.
As a result, 42 customers experienced fraud-related issues such as compromised emails accounts and loss of access to banking accounts. The ACMA said at least seven of these Circles.Life customers experienced financial losses.
In addition to the $199,800 infringement notice, the company has also offered over $100,000 in compensation to customers who had their services compromised by scammers who took advantage of these lapses.
“It is deeply concerning that Circles.Life did not have proper processes in place for such a long period and that so many people were affected or put at risk of identity theft and fraud,” ACMA chair Nerida O’Loughlin said.
“Combatting these types of scams requires concerted action by all telcos and one weak link exposes all consumers to harm.
“It is the customers of other telcos who have fallen victim in this case by having their number transferred to Circles.Life without their knowledge.”
Circles.Life, the ACMA said, responded quickly once it was aware of the problem by implementing the required identity checks, appointing regulatory staff to oversee its activities and providing some recompense to the 42 affected consumers. All 42 numbers were returned to their rightful owners some time ago and Circles.Life said new processes and policies have been implemented to ensure that it never happens again.
“Some of the victims have experienced significant stress due to Circles.Life’s failure and we are pleased to see the company is providing recompense to acknowledge the profound emotional toll and disruption often caused by these scams,” O’Loughlin added.
Circles.Life CEO Nicholas Demos told Gizmodo Australia that while there were security measures in place, there was a vulnerability in the company’s process.
“In line with the Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020, we were required to implement a one-time-password verification process for all port-ins by 30 April 2020. While this was done for all online port-ins, which represent the vast majority of our business, it was not done for port-ins done through our retail channels. While other verifications and security measures were in place, it represented a vulnerability in our process and breach of the Industry Standard,” he said.
“Within two weeks of becoming aware of the situation we had designed, tested and deployed a fix which closed the vulnerability permanently.
“This is a first for us and we are deeply sorry to our customers, and the industry, as we know this represents a loss of trust. We have an enviable record and have established telco operations in five very different countries around the world and successfully navigated five unique regulatory landscapes with their own rules, processes and legislation. We have never made an error like this before and we’re committed to ensuring it never happens again.”
This article has been updated since it was first published.