Optus has escaped a financial penalty imposed Australia's privacy boss and instead must review its internal security measures after it shipped hundreds of thousands of routers with open internet ports and default credentials, opened voice mails, and marked public scores of private phone numbers.
The order billed as an 'enforceable undertaking' calls for the Australia's second-biggest telco to review its processes after a series of dangerous yet unsettlingly common breaches since 2013.
It is the first undertaking since the Privacy Act reforms hit in March 2014, when they were upgraded to offer a maximum financial penalty of AU$1.7 million through for the worst offenders.
Privacy Commissioner Timothy Pilgrim says in a statement the undertaking is appropriate given Optus voluntarily reported the breaches.
‘I appreciate the positive way in which Optus worked with our office to address these incidents," Pilgrim says.
"I consider that the enforceable undertaking is an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act."
Optus was sent to the naughty corner for a 2013 website coding error that placed 122,000 private numbers in the White Pages phone book; for from 2008 shipping 300,000 borked Cisco and Netgear modems that exposed management ports and contained default access credentials, and a failure to slap passwords on voicemail which allowed spoofers to listen to messages for about 100,000 customers.
The security balls-ups were disclosed last year.
A third party auditor armed hopefully with more than a suitable clipboard and checkbox will examine Optus' penetration testing and vulnerability discovery processes, as it relates to personal information, and the risk that its change management could introduce bugs.
The investigation would this reporter hopes be a redundant request for something Optus should have commenced immediately after the breaches.
Optus will supply the terms of audit to Pilgrim before it kicks off and will need to implement any recommendations within 18 months.
More than 100 organisations had voluntarily reported breaches to the office since the reforms took effect, Pilgrim revealed earlier this month. He said he was pleased with the overall response and added breached organisations would save money if they acted on initiative rather than wait for the office to kick in doors.
It is unclear what level of misery Optus would need to inflict on its customers to warrant the pursuit of financial penalties, or if the inclusion of the Netgear and Cisco borking should put telcos on notice given the current state of router SOHO security. ®