Saturday, 10 December 2011

Telstra Privacy Breach Caused By An Unsecured RightNow Webform Being Indexed By Google



UPDATED 14 December 2011


Cached data from Google searches on the domain have now been removed and you are no longer able to view them. The site is still online but now has an IP filter so everyone outside of Telstra gets an error message (Screen shot below).  Is this enough security now the domain is known? 
Does Telstra Need A Free Trial of BigPond Security?



The privacy breach was first discovered by a Whirlpool forum user on 09/12/11. They performed a Google search and found a Telstra webpage used by staff to give customers information on their bundle orders.


The website address is: http://telstratccmail.custhelp.com/app/bundles_search/ the site has now been taken offline along with all other Telstra & BigPond online services.


The website domain custhelp.com redirects to RightNow.com an online service that offers major companies all over the world including Telstra self-service tools, knowledge bases, customer correspondence tools and webforms and databases.


RightNow is yet to make a public statement on the privacy breach. As the breach was on a RightNow server and not a Telstra one it would indicate that RightNow is at fault but this might not necessarily be true as they offer services for customers and staff. Telstra would have requested the service and selected if it was for internal or external use and should have tested the service before going live.