Telstra gave me access to another person's account, no identity proof required!

Yes, that's right. All I had to do was provide the person's first name, last name and email address to do a password reset and gain full access her account.

In a LiveChat with Telstra on April 19th, during an appointment where I was assisting a client (someone who was visiting from Sydney) who did not know her Bigpond email password, I told agent that we had unsuccesfully tried to do a password reset online.  When we had attempted the reset, we got a message that the details we provided (including birthdate) were rejected.

In asking for assistance via the LiveChat, all I provided to the agent was the person's first name, last name and email address.

There was no request from the agent for any further information - no birthdate, no address, no phone number, no account number, nothing.

The Telstra agent simply provided a temporary password for the account - so that I could immediately log in and reset the account password.

Lovely, but ...

WHAT IF I WAS A SCAMMER?  

This Telstra staff member had just given me access to the client's mail and Telstra account without doing any sort of verification of identity. If I was that way inclined, I could do all sorts of password resets, bury some mail rules so that I could monitor and manage her messages even after the password was reset again, send emails pretending to be this person, and do all sorts of things in terms of managing the her Telstra account.

I too am a Telstra customer, and was appalled to think that my account could possibly be accessed by anyone, anywhere, just by providing my name and email address.

You'd think Telstra would care about such a breach ...

​Very disturbed about what had just happened, I saved the LiveChat transcript as evidence and called Telstra to lodge a complaint.

As with most calls to Telstra, this took a long time! I provided an outline to the agent, and asked to be escalated to someone from the Privacy area, to discuss this breach - seeking to gain assurance that they would investigate and that this would not happen again. 

The agent took down all the details, and asked me to send the transcript of the LiveChat session to him directly. I was told the details of my complaint would be sent to a specialist privacy team, and that someone would call me within 48 hours.

I waited 2 weeks. No-one called.

So I called again on Tuesday this week (1/5). This time I was kept on the phone for 30 minutes by an agent who told me that he could see the details of my complaint, but could also see that it had not been assigned to anyone yet. I asked that someone call me about the complaint with 24 hours, or I would be forced to take the complaint beyond Telstra. 

This agent kept me on the phone for 30 minutes - asking me to hold for '2 minutes' (about 5 times) to be transferred to the relevant team. After holding for about 3-5 minutes each time, I asked him to stop putting me on hold, getting more and more irate by the waste of my time. In the end, I was forced to hang up after he once more insisted on putting me on hold. 

After the call, I got one of the standard 'Get back in touch' emails from this person, but once again have received no followup call from Telstra on this matter. 

What next?

I have looked at what one should do in the case of a privacy breach.  Here is the web page from the Office of the Australian Information Commissioner that covers this topic.

• How do I make a privacy complaint?| Office of the Australian Information Commissioner - OAIC

The advice on this page is to notify the organisation involved first, and give them a chance to respond.  If this doesn't occur within 30 days, then a complaint can be lodged with the OAIC (Office of the Australian Information Commissioner).  Here is the link:

• Individuals| Office of the Australian Information Commissioner - OAIC

So, I will wait another 10 days and, if I hear nothing back from Telstra, I will lodge a complaint with the OAIC.

Stay tuned - I will update this blog article with any results.