Telstra Concerned About Honeypot Hackers Coming After Customer Metadata

Worried about your data being exposed thanks to the Government’s metadata? So is Telstra.

Telstra has appeared before a Senate inquiry this afternoon, telling a panel of Senator’s it’s concerned about attracting hackers when storing metadata for a period of two years if it were to be prescribed by the government.

Telstra’s Director of Government Relations Corporate Affairs, James Shaw, said that while the telco has strong security in place to fend off intrusions, it’s worried about how hackers would react knowing there’s a large repository of customer data out there.

“We would like to think we’ve got robust security systems in place now, but having this amount of data collected and brought together could pose additional issues. We would have to put additional security on that. There could be an attraction for people who like to get into networks. They’d know theres a dataset there,” Shaw told Senators.

The panel asked Telstra to explain why customer data may be more attractive to hackers than financial data.

Telstra’s Chief Risk Officer Kate Hughes added to the discussion, saying that the standard for protecting something like a customer’s financial data is much higher than it would be for protecting customer metadata, simply due to the presence of a globally accepted payment security standard, known as PCI DSS. Customer metadata isn’t protected by as robust a standard, meaning it could be easier for hackers to get in and grab it.

Hughes said that hackers would want a repository of metadata they could use to crack two-factor authentication challenges.

“Telco data can be second factor authentication, with phone numbers, addresses and such. The fact that we’re well documented as having this data, keeping this dataset might make it a shopping list of data people could seek to find. The security need definitely increases for us,” she added.

The telco has been asked to provide more information on notice on why this may be the case.

Telstra’s fears aren’t without base. When the former Labor Government was discussing its attempt at a data retention scheme, hackers aligned with the Anonymous collective broke into a Melbourne IT datacentre and lifted the historical metadata of AAPT customers before publishing it online.

The incident served as a warning to telcos from hackers as to what could happen if customer data sat at rest on a server for an extended period of time, re-enforcing the need for strong security requirements for any future metadata retention scheme. As a result, Telstra is now wary of any future honeypot-style hacking attempts.

Kate Hughes told Senators in a discussion about Telstra’s privacy practices that the telco’s new policy is to store less data on customers rather than more. That way, Hughes added, Telstra can’t “accidentally” breach someone’s privacy.

Telstra has a rich yet upsetting history of breaching customer privacy inadvertently. In May last year, one of Telstra’s third-party contractors let slip a few Excel spreadsheets containing nearly 10,000 customer records. 2012 saw 35,000 GameArena passwords reset after a hack, while a foul up in December 2011 saw BigPond user records exposed.

By storing less data, Telstra can hopefully avoid these sorts of things in the future.

Storing less data on customer behaviour is a contradictory plan to how a rival telco like Vodafone works. Vodafone told Senators this morning that it’s actually working on storing some content data as well as metadata to bolster its self-service systems and show customers where they’re using the data on their plan.

Curiously, Telstra was one of the only organisations compelled to appear before the hearings by the Senate to speak to metadata collection, following a decision not to lodge its own individual submission on the topic. Instead, Telstra attached its name to the Australian Mobile Telecommunication Industry (AMTA) submission discussing amendments telco interceptions.