Telstra CISO Mike Burgess says the telco has taken steps to tighten up security controls following three data breach investigations launched by Australian Privacy Commissioner Timothy Pilgrim since 2010. The latest investigation occurred following an incident in May 2013 when it emerged that 15,775 phone numbers, names and home addresses contained in spreadsheets were found online via a Google search. Pilgrim concluded that Telstra had breached three National Privacy Principles (NPPs). SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe NPP 4.1 – failure to take reasonable steps to ensure the security of the personal information it held NPP 4.2 – failure to take reasonable steps to destroy or permanently de-identify the personal information it held NPP 2.1 — disclosure of personal information other than for a permitted purpose. The first investigation by Pilgrim took place on 28 October 2010 when Telstra told the OAIC that a mailing list error had resulted in approximately 220,000 letters with incorrect addresses being mailed out. Telstra disclosed that this error may have caused the personal information, including names and telephone details, of some of its customers to be improperly disclosed. Following his investigation into the matter, Pilgrim concluded that Telstra had breached National Privacy Principle (NPP) 2 by disclosing the personal information of some of its customers to unauthorised third parties. On 12 December 2011, Pilgrim was on the case again after Telstra’s customer service website was openly accessible on the Internet. The telecommunications company said it was made aware of the privacy breach and disabled its online billing, BigPond self-care and My Account functions on its website. In response, Burgess told CIO Australia that it has put a “lot of effort” into training staff about security issues. “The challenge is not just from external hackers. If we don’t do everything possible to protect our information, we will have issues,” he said. “If there is a data breach, you have to tell the customer or owner of that data.” He added that Telstra CEO David Thodey has “made it very clear” in an email to staff that they need to look after customer data. For example, his team of 240 information security staff are constantly scanning the telco’s networks and infrastructure for attacks. “We have a program of scanning new products and websites when they are put online. These products and websites are subject to mandatory security testing and when we make changes to our systems or networks, we apply mandatory checking to those systems. “Security is an ongoing process; we can’t sit back and relax. For me, customer privacy is our number one priority.” Read: Distribute.IT:When a hacker destroys your business Heartbleed When the Heartbleed bug emerged in April 2014, Burgess said that his team put security detection mechanisms in place so that it could detect the vulnerability. “We found a number of areas where products we used had OpenSSL. They were identified, and plans were put in place to fix those products,” he said. “We saw people scanning us, looking for that [OpenSSL] vulnerability, but we were able to shut them down.” According to Burgess, all of the OpenSSL products that were connected to the Internet, and could be exploited externally, have been fixed. “We have a small number of issues internally but there is no risk from someone outside of Telstra exploiting those,” he said. “The reason for that slight delay internally is we keep our networks up and running. There is change process involved to make sure we don’t impact customer services.” How to present cyber security issues to the board Board education Like most CISOs, Burgess has to present cyber security issues to his board. And while Telstra executives are “tech savvy”, Burgess said he takes the time to explain the issues in “normal language” including what the cyber security issue is, and what can be done about it. “Through our risk audit committee, there are regular meetings every three months and they are hearing about the information security risks that we have identified. “It’s our customer’s data we are looking to protect, along with our company’s sensitive information.” Follow Hamish Barwick on Twitter: @HamishBarwick Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia Related content opinion Why all IT talent should be irreplaceable Forget the conventional wisdom about firing irreplaceable employees. Because if your employees aren’t irreplaceable, you’re doing something wrong. By Bob Lewis Oct 03, 2023 5 mins Hiring IT Skills Staff Management case study ConocoPhillips goes global with digital twins Initial forays into using digital twins across its major fields has inspired the multinational hydrocarbon exploration and production company to further adopt the technology across its entire portfolio. By Thor Olavsrud Oct 03, 2023 8 mins CIO Mining, Oil, and Gas Digital Transformation brandpost ST Engineering showcases applications of new technologies to stay ahead of disruption By Jane Chan Oct 03, 2023 7 mins Generative AI Digital Transformation Innovation news Nominations extended for CIO100 ASEAN Awards 2023 By Shirin Robert Oct 02, 2023 2 mins IDG Events IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe