Around 30,000 names and email addresses of past and present Telstra staff have been posted on the dark web, on the same forum where the Optus breach was shared last week.
In an internal note to staff, Telstra said the data breach came from a third party the company was using to run a rewards program for staff.
“No customer account information was included. We believe it’s been made available now in an attempt to profit from the Optus breach,” said a company spokesperson.
Telstra sought to downplay the breach emphasizing that it was “not a major cyberattack”… It’s not a breach of an internal system ... it’s a platform we no longer use and haven’t used for a number of years.”
No private or personal information was leaked and only names and work email addresses of employees were shared, said the company.
“The limited Telstra employee information dates from 2017 so many of the employees would no longer be working for the company,” said a spokesperson.
A total of 12,800 of the 30,000 employees whose names and email addresses were leaked are still employed by Telstra. Passwords of all those affected were reset as a safety measure.
“We understand this may cause some anxiety to our people, particularly in the current climate of heightened awareness around cyber security,” Telstra said in a statement to staff.
Stories like this should give employers pause to think carefully about the information they collect and collate from their employees, especially when that information is being provided to third parties, said Julian Arndt, Associate Director at Australian Business Lawyers & Advisors.
“The cost of a data breach is not simply borne by individuals who have their information published. These incidents can give rise to massive business risks, both from a publicity perspective but also from a commercial security perspective,” said Arndt.
The Telstra leak comes in the wake of millions of Australian customers of Optus having their details, including names, addresses, phone numbers, passport numbers and driving licenses stolen from the teleco’s database by hackers.