Telecom rival implicated in security breach

Mark Callander. Photo / Janna Dixon

A major security breach has revealed personal details of every Telecom customer - and a commercial rival is implicated.

The Herald on Sunday accessed the Telecom database using login details supplied by sales staff working for rival telco Slingshot. It gave us names, addresses and billing details for every Telecom customer.

The discovery has dismayed the Privacy Commissioner Marie Shroff, who yesterday announced she would investigate.

The Herald on Sunday has spoken to five former staff of Slingshot's sales contractor, Power Marketing Limited, who say staff accessed Telecom customer details as part of their sales business. All five said they knew they were not allowed to, but it was common practice. They accessed the Telecom database, known as Wireline, from a computer in the Power Marketing offices in Newmarket, Auckland.

One former staff member said that the database, which contains an estimated 2.15 million names, gave sales staff the ability to know exactly what Telecom plans the customer was signed up to, how much was paid for the plan and whether they were tied to a contract.

It did not allow them to see customer credit card details or what numbers anyone had called. But the informant said it put Telecom customers at a disadvantage because sales staff knew their account details better than they did and customers might gain the mistaken impression they were talking to Telecom staff.

Slingshot, New Zealand's fastest growing telco, surged in popularity after it hired telemarketing company Power Marketing to cold-call potential customers. The company has previously said its sales staff brought in 160,000 new customers for Slingshot in just two years.

Telecom retail chief executive Alan Gourdie yesterday would not rule out going to the police over the security breach.

"We're just outraged. This is our customer data - potentially fraudulently used. We will pursue this to all remedies that are available."

He said the account details provided by the Herald on Sunday had been traced to a legitimate account used by a Telecom dealer to carry out its business. He said the inquiry had yet to discover how the account - now closed - had wound up with Power Marketing Limited.

"When it falls into the wrong hands it can be used for commercial advantage, which is what seems to have happened. They have no rights of access to that information for whatever purpose. It is outrageous."

Gourdie said sales tactics employed by Slingshot were under investigation by the Commerce Commission.

He said the complaint was laid by Telecom after large numbers of people complained about being signed up to deals they didn't understand - a practice known as "slamming".

Power Marketing Limited owner Paul Ross yesterday said: "We use Wireline from time to time." When asked if it was used for sales, he denied it then disconnected the call.

CallPlus chief executive Mark Callander - who oversees Slingshot - said he had quizzed Ross about Wireline and was yet to find out how the company had gained access to it. He said he had arranged to meet Ross today but said Power Marketing Limited was highly unlikely to have the right to access Telecom's customer information through Wireline. However, he said he had an assurance from Ross it was not used for sales.

"If that is not the case there will be severe ramifications."

He said his inquiries suggested the actions were carried out by sales staff without management knowing.

"I'm certainly not comfortable with the activities that have been described."

PROTECTION FOR CUSTOMERS IS VITAL

Telecom is facing calls to assure the public its databases are protected after the security breach exposed by the Herald on Sunday.

The paper gained access to a database that allowed us to find a customer's address by searching their phone number. Billing info was also revealed.

Privacy Commissioner Marie Shroff said she intended to ask Telecom to explain the privacy breach.

"We expect Telecom to contact us to tell us what has happened here, and how it intends to deal with any security loopholes in its system.

"We'll monitor things closely to make sure people's personal information is properly protected."

Victim Support chief executive Tony Paine said: "It is outrageous." There were "much wider privacy issues", but the breach would cause concern for those who sought privacy for safety reasons and trusted Telecom would safeguard their details.

A Women's Refuge spokeswoman echoed his concern.