The personal data of 31,150 mostly former Optus customers was posted on short-term job website Freelancer.com in major breach of their privacy, Crikey can reveal.
Earlier this week, Crikey reported that an employee of the telecommunications company’s debt collector ARC Mercantile had posted a spreadsheet of data of customers who owed a debt to Optus onto Freelancer.com, a job auctions website where potential workers bid to undertake a variety of short-term jobs or tasks.
Against the policies of both Optus and ARC Mercantile, the employee was seeking to get a Freelancer.com worker to analyse the data (which was the ARC Mercantile employee’s job) and uploaded a spreadsheet of the data earlier this year. The data included customer names, contact numbers, physical and email addresses, date of birth and debt collection history information.
The data has since been removed from Freelancer.com, and Optus has been attempting to track down the 51 people who accessed the data while it was online to have the data destroyed.
Optus has subsequently sent out a letter to customers who had their data posted online advising them of the situation and offering a free alert service for potential identity fraud. The company has said those who are affected might want to change their phone numbers.
Optus would not say how many customers were affected, but Crikey has learned that the breach affected 31,150 people.
According to an internal Optus document seen by Crikey, of the 31,150 people affected, only 164 remain Optus customers. They cleared their debts and had their services reconnected. The remaining 30,986 people remain disconnected.
Optus says in the document that while ARC Mercantile had been managing the debt of those customers, because of the breach, Optus has decided to manage the debt for those customers internally. Optus has not told Crikey that it intends to sever its relationship with ARC Mercantile.
Optus has not said it intends to pre-emptively forgive all of the debts of the 31,150 customers, but the document reveals Optus is prepared to pay compensation for those affected, including for phone number changes, passport replacement and other ID changes. There is also the option for “discretionary credits” to be issued to resolve debts for customers who complain about having their data exposed.
Crikey asked Optus to confirm the figure yesterday, but the company again refused to comment. Optus has over 9 million active mobile services.
ARC Mercantile has also declined to state whether the employee who was seeking to outsource his or her own job had been fired, stating simply that “all necessary disciplinary action” had been taken.
The Australian Privacy Commissioner Timothy Pilgrim was informed of the breach by Optus and ARC Mercantile.