In short:
The telecommunications watchdog has fined Telstra $1.5 million for failing to adequately protect customers from scams.
The company did not comply with new regulations requiring multi-factor authentication for important transactions such as resetting a customer's password.
What's next?
Telstra has promised to comply with the regulations in a two-year agreement with ACMA.
Telstra has copped a $1.5 million fine for leaving customers open to fraud and scam attempts.
An investigation by the Australian Communications and Media Authority (ACMA) found Telstra failed to authenticate customer IDs between August 2022 and April 2023 during 168,000 high-risk interactions such as password resets or SIM card swaps.
Rules introduced by ACMA in 2022 require telcos to use multi-factor ID authentication such as one-time codes before allowing changes or transactions that can compromise a customer's account, such as resetting a password.
The investigation found Telstra was not compliant with the new regulations and it identified more than 7,000 instances involving customers in vulnerable circumstances.
Authority member Samantha Yorke said victims of mobile fraud lost an average of $28,000.
"It is unacceptable that Telstra did not have proper systems in place when the rules came into force," she said.
"SIM-swap scams can be particularly devastating as victims can lose life savings as well as control of their phone number and other personal information."
SIM swaps refer to a request for a replacement if someone loses or damages their existing SIM card.
A Telstra spokesperson said the company was "very supportive" of regulations focused on customer security, but said the 2022 regulations were significant in scope.
"We had to design and deploy multi-factor authentication processes across all our channels," they continued, arguing the company missed the start date for the new regulations because it was making sure the processes worked properly.
ACMA did not find any direct evidence of losses from the breaches.
Telstra has agreed to a two-year undertaking with ACMA to take action on the breaches for future transactions, which is court enforceable if not followed.
Posted , updated