Telecom's customer data open to ex staff

Photo / Thinkstock

Former employees have questioned Telecom's security policies and one can still look up customer details despite having left his job two months ago.

Andrew Rozen, who worked in a customer service role from March to November last year, checked if he could access Telecom's Wireline database after accusations of a security breach this month.

The breach allegedly allowed Power Marketing, a company working for Slingshot, access to Telecom's Wireline database, which contains customers' personal information.

"After reading a few articles on Wireline, I wondered if I could still access the site. After three or four attempts at [remembering] what my password was I got in, and had free rein," Mr Rozen said.

"It brings to light how many other people not employed by Telecom could potentially have access to this data."

While working for Telecom, Mr Rozen said he took calls from customers who had been contacted by third-party companies and were wondering how these companies had their details.

"Of course we never knew."

Mr Rozen said that while he never gave out personal information, he was never told to keep customer details secure.

"I don't remember receiving anything or being told, 'You need to keep these details to yourself, don't pass them on. Or if you're leaving let us know so we can take away your access.'

"None of that was brought to my attention."

Telecom refused to comment on Mr Rozen's situation, but told the Herald investigations into the alleged Slingshot security breach were ongoing.

When the allegations surfaced, Telecom's retail chief executive, Alan Gourdie, stressed the stringency of the company's security.

"Telecom has detailed security policies and practices in place that we review regularly and update ... Access to Telecom retail's Wireline information requires passwords/pins and should only be accessed by authorised personnel in the provision of Telecom retail services," Mr Gourdie said.

However, a former national sales manager for Telecom, who worked with third-party organisations accessing Wireline for Telecom, was surprised at the company's response.

"We signed up so many organisations and we never vetted them in any way. It was all about hitting our sales numbers," he said.

The man worked for Telecom a number of years ago and did not want to be named.

New staff at third-party organisations were issued with a new code, he said, and none were disabled after anyone left. "I'm surprised this hasn't come out sooner. It's a catastrophe waiting to happen."

WHAT IS WIRELINE

* Telecom's customer database.
* Contains the names, addresses and billing details of every Telecom customer.
* Has a customer's plan, how much they paid for it, and if they were tied down in a contract.
* Has no credit card details or numbers customer has called.
* Allegedly accessed by Power Marketing, a contractor for Telecom's rival Slingshot.
* Telecom and the Privacy Commission are investigating the alleged security breach.