IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Telstra suffers 'sizeable' data breach, mandates two-step security upgrade

The breach affected around 30,000 past and present employees, with their information being posted in the same forum that the Optus attackers used

Australia’s largest telecoms operator Telstra has been hit by a data breach and has told customers they will have to enable two-step identity protection on their accounts within a month.

The policy will come into effect on 5 October, a new website banner shows. The announcement of enhanced security measures has arrived just two weeks after rival telco Optus also suffered a similar attack.

Related Resource

The data strategy report

What CDOs need to know

Whitepaper cover with title and overhead image looking down at colleagues sat at a curvy desk, talking with papers and laptopsFree Download

Telstra confirmed the incident involved the access of employee details, although it wasn’t a breach of a Telstra system. The company said a third-party platform was attacked instead and was used to access the telco's data.

The company confirmed the data involved in the breach belonged only to Telstra employees and included first and last names as well as email addresses. The data itself dates back to 2017 and no customers are believed to be affected.

Around 30,000 past and present employees were affected, as reported by 7News, with the information being posted on Breach Forum, the same forum on which data involved in the Optus attack was posted two weeks ago.

The hack related to information handled by a third company party for the telco’s WorkLife NAB rewards programme for staff, run by Pegasus Group Australia/MyRewards International.

The details had been leaked on the forum last week but there isn’t any personal information contained in it, only professional details, the same kind that can be found on Google or LinkedIn, a source told the local news outlet.

The rewards programme is a platform the company no longer uses and hasn’t used for a number of years, they added. They claimed the hacker is trying to sell off the data as new information, too.

“The data released is very basic in nature – limited to full names and email addresses used to sign up to the platform,” a Telstra spokesperson said. “No customer account information was included. We believe it’s been made available now in an attempt to profit from the Optus breach.”

Telstra has notified the relevant authorities as well as current employees. It added that while the data is of minimal risk to former employees, it will attempt to notify them too.

"This latest breach at Telstra is a stark reminder that just managing your own security posture isn’t good enough," said Markus Strauss, head of product management at Runecast to IT Pro

"Far too often companies are focused on their own internal security efforts, all while forgetting the third-party providers that potentially have access to their environments or their data. The end result is what we see at Telstra, the unauthorised access to data. Companies need to wake up to the very real threat of third-party tools and partners and demand better security and attestation of their security measures as part of the onboarding of any new third-party provider."

The data breach occurred right after Optus was hit by a cyber attack last month, resulting in the leaking of sensitive customer data. The telco said that it potentially exposed data including customer names, phone numbers, email addresses, and dates of birth. Some customers may also have had their passport and driving licence numbers exposed in the attack.

New two-step security for all customers

The new two-step policy was introduced to help ensure that Telstra is talking to the customer instead of someone pretending to be them, it said.

User on an Australian forum indicated that Telstra customers first encountered the new banner informing them of the two-step authentication policy last week.

Instead of a traditional two-factor authentication (2FA) model, it will involve adding an additional security layer to accounts whereby users log in using their phone number and a personal identification number (PIN), according to users who were served the banner.

“As of October, this will become a mandatory step for our customers following the introduction of new customer identity verification rules by the Australian Communications and Media Authority (ACMA),” said Telstra.

The ACMA imposed the new rules as of 30 June 2022 but according to reports that month, Telstra had not revealed a date by which it planned to implement the necessary protections to meet the regulator's new standards.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

Japan considers creating new cyber defence agency as attacks ramp up in region
cyber attacks

Japan considers creating new cyber defence agency as attacks ramp up in region

24 Nov 2022
UK follows EU in securing data deal with South Korea
Policy & legislation

UK follows EU in securing data deal with South Korea

23 Nov 2022
Inside Singapore’s mission to infuse itself with technology
digital transformation

Inside Singapore’s mission to infuse itself with technology

23 Nov 2022
India’s new data protection bill continues to “facilitate state surveillance”
Policy & legislation

India’s new data protection bill continues to “facilitate state surveillance”

21 Nov 2022

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022