Telstra has paid a $1,551,000 penalty after failing to perform required customer ID authentication processes, leaving thousands of Australians vulnerable to SIM-swap scams and other types of mobile fraud.
An Australian Communications and Media Authority (ACMA) found that between August 2022 and April 2023, Telstra failed to use the required ID authentication processes for 168,000 high-risk customer interactions, such as for SIM-swap requests and password resets. This included over 7,000 interactions for customers identified as being in vulnerable circumstances.
Authority Member Samantha Yorke said Telstra’s non-compliance put thousands of its customers at risk of real harm.
“When the ACMA made these rules in mid-2022 we identified that victims of mobile fraud lose $28,000 on average,” Ms Yorke said.
“While there is no direct evidence anyone suffered losses because of these breaches, customers need to be able to trust that their telcos are protecting their accounts from fraud,” Ms Yorke said.
“SIM-swap scams can be particularly devastating as victims can lose life savings as well as control of their phone number and other personal information,” she said.
SIM swaps occur when someone requests a replacement SIM card or eSIM from their existing telco, such as when they lose or damage their existing SIM.
Ms Yorke said the customer ID authentication rules introduced in 2022 had been very effective in reducing SIM-swap fraud. The rules require telcos to use multi-factor ID authentication, such as verification of one-time codes sent to consumers, before allowing transactions that may compromise a person’s account.
“It is unacceptable that Telstra did not have proper systems in place when the rules came into force,” she said.
In addition to the financial penalty, the ACMA has accepted a comprehensive two-year court-enforceable undertaking from Telstra, committing it to appoint an independent consultant to review its compliance with the customer ID rules and to make improvements where needed.
Anyone who thinks they may be victim of mobile fraud should contact their telco and financial institution immediately.
Help other Australians by reporting to .
IDCARE can help if your identity has been compromised or stolen and can be contacting on 1800 595 160 or at .