Telstra exposed thousands of customers to potential scams over a 12-month period after failing to perform required ID checks.
An Australian Communications and Media Authority (ACMA) investigation found that between August 2022 and April 2023, Telstra failed to use the required ID authentication processes for 168,000 high-risk customer interactions, such as for SIM-swap requests and password resets.
ACMA Member Samantha Yorke said the actions of Telstra, which has paid a $1.55 million penalty for the non-compliance, put thousands of its customers at risk of real harm.
Ms Yorke said by failing to perform required customer ID authentication processes, Telstra left thousands of Australians vulnerable to SIM-swap scams and other types of mobile fraud.
“When the ACMA made these rules in mid-2022 we identified that victims of mobile fraud lose $28,000 on average,” she said.
“While there is no direct evidence anyone suffered losses because of these breaches, customers need to be able to trust that their telcos are protecting their accounts from fraud.”
Ms Yorke said SIM-swap scams were particularly devastating as victims could lose life savings as well as control of their phone number and other personal information.
She said SIM swaps occurred when someone requested a replacement SIM card or eSIM from their existing telco, such as when they lost or damaged their existing SIM.
Ms Yorke said the customer ID authentication rules introduced in 2022 had been effective in reducing SIM-swap fraud.
“The rules require telcos to use multi-factor ID authentication, such as verification of one-time codes sent to consumers, before allowing transactions that may compromise a person’s account,” she said.
“It is unacceptable that Telstra did not have proper systems in place when the rules came into force.”
