Internet service provider AAPT has been issued a formal warning by the Australian Communications and Media Authority (ACMA), following an investigation into a data breach in July 2012 which hacktivist group Anonymous claimed credit for.
According to ACMA, the ISP failed to protect the privacy of some of its small business customers’ personal information from unauthorised use or disclosure as required by the Telecommunications Consumer Protections (TCP) Code.
The consumer watch dog’s investigation found that billing and related personal information was stored in an offsite server managed by a third party, and was the subject of a hacking incident.
At the time, Anonymous had threatened to release 40GB of data from an ISP in protest over the Australian government’s proposed data retention laws--which could mean every Internet users' entire Web history was logged and stored for up to two years.
Anonymous also posted a message on its Par:AnoIA Twitter account which read:
“Apparently rumors are spreading much already. Let us point the attention to this link: http://en.wikipedia.org/wiki/AAPT.”
AAPT CEO David Yuile said at the time that two files were compromised and the data was historic, with limited personal customer information.
In November 2012 he told Computerworld Australia that the company had undertaken a review of its data retention policy.
“The review included a full assessment of where our data is kept and we’ve moved all of that data inside the AAPT network,” Yuile said.
According to ACMA chairman Chris Chapman, the formal warning was issued because Australian consumers need to have confidence that the personal information they give to their provider is treated appropriately and only accessed by authorised personnel.
“They also want to know that their details are stored securely with appropriate access restrictions,” he said in a statement.
Chapman added that since the incident last year, AAPT had taken steps to improve its processes and staff awareness of the provider’s policies about information management and privacy to comply with the privacy requirements in the TCP Code.
“Given the prompt action taken by AAPT to remedy the breach, the ACMA considers a formal warning is appropriate in the circumstances,” he said.
Follow Hamish Barwick on Twitter: @HamishBarwick