Telstra slugged with $1.5M penalty for ID authentication failures

Telstra has paid a $1.5 million penalty for failing to perform customer identity authentication processes for 168,000 high-risk customer interactions.

An investigation by the Australian Communications and Media Authority (ACMA) found the telco’s non-compliance with authentication rules ranged from August 2022 and April 2023 for interactions like SIM-swap requests and password resets.

The rules, which were introduced in April 2022 as the Telecommunications Service Provider (Customer Identity Authentication) Determination 2022 and came into force on 30 June that year, require telcos to provide various measures to protect customers when undertaking “high-risk” interactions, such as SIM-swap requests, changes to accounts or disclosure of personal information.

These measures include multi-factor ID authentication, having systems in place to identify and protect customers at risk of fraud and publishing customer awareness information on their website.

The investigation found Telstra did not use authentication processes in its customer contact centres, apps and in customer interactions with its Belong subsidiary. In the latter case, customers who could not complete authentication processes were asked additional security questions, which is not considered a valid process under the Determination.

Of the 168,000 high-risk interactions, the ACMA said over 7,000 were with customers in vulnerable circumstances.

During the ACMA’s investigation, Telstra informed the Authority in 2022 that its planned compliance with the Determination would take longer than the 30 June enforcement date and would not be completed until the end of the year. While it did confirm that that the compliance was completed on 30 December, the telco told the ACMA that an error in its testing environment meant it was non-compliant with part of the Determination from 15 December until 26 April the following year.

Authority member Samantha Yorke said it was “unacceptable” that Telstra did not have proper systems ready when the new customer ID authentication rules came into place in 2022 and put thousands of customers at risk of “real harm”.

“When the ACMA made these rules in mid-2022 we identified that victims of mobile fraud lose $28,000 on average,” she said.

“While there is no direct evidence anyone suffered losses because of these breaches, customers need to be able to trust that their telcos are protecting their accounts from fraud.

“SIM-swap scams can be particularly devastating as victims can lose life savings as well as control of their phone number and other personal information.”

As well as paying the penalty, which came to $1,551,000 in total, the ACMA has accepted a two-year court-enforceable undertaking from Telstra, which includes it appointing an independent consultant to review its compliance with customer ID rules and to make appropriate improvements.

In a statement sent to ARN, a Telstra spokesperson claimed the scope of the changes were “significant”, having to design and deploy multi-factor authentication process across its channels and maintaining its ability to service customer requests, including those that could not complete multi-factor authentication.

“We needed to take the time to get the implementation right for our customers and while we made the changes as quickly as possible, we were not able to meet the initial commencement date for some aspects of the new rules,” the spokesperson said.

“We kept the ACMA informed, took measures to minimise the risk to customers and the ACMA investigation did not uncover any evidence of losses throughout our phased implementation.”

The ACMA’s investigation with Telstra comes just under a month after Symbio Wholesale and Symbio Networks were found by the Authority to have breached information-sharing and reporting obligations in June.