Telstra, Optus, and Aldi Mobile warned by ACMA for not verifying new customer info
The Australian Communications and Media Authority (ACMA) has issued formal notices to a trio of telcos after finding each had failed to validate customer details when moving between carriers.
Medion Mobile, which powers Aldi Mobile and is owned by Lenovo, was caught out on 53 occasions, Telstra was found to have breached its obligations 52 times, and Optus was pinged for one violation.
“Historically it has been too easy to transfer phone numbers from one telco to another. All a scammer needed to hijack a mobile number and access personal information like bank details was a name, address and date of birth,” ACMA chair Nerida O’Loughlin said.
“We are cracking down on telcos that don’t follow the rules and leave customers vulnerable to identity theft.”
ACMA said those who experienced mobile number fraud typically lost more than AU$10,000, and struggle to “regain control of their identities for long periods of time”.
Since new rules on validating customer information came into effect early last year, the regulator said some telcos have reported the practice has stopped.
ACMA said if a person believes they have fallen victim to such an attack, to contact their telco and bank, change passwords, report the act to the police, Scamwatch, and the Australian Cyber Security Centre.
As usual with telco rule breaches, the ACMA warned further violations could see a AU$250,000 fine per breach.
Earlier in the week, Lycamobile paid a AU$600,000 fine levelled at it, after ACMA found what it called “prolonged and large-scale customer data failures, which could have put people in danger”.
In its investigation, ACMA found 245,902 instances where the telco failed to pass on information to Telstra so it could maintain the Integrated Public Numbers Database (IPND) used by emergency services when responding to 000 calls, as well as the Emergency Alert Service.
ACMA said there were 5,671 instances where Lycamobile did not upload data to the IPND for “between three days and nine years” after gaining a customer. It also did not upload complete and accurate information for 240,231 customers, with over 210,000 customers being listed as connected in the IPND when they were disconnected.