EXCLUSIVE: The 'secrets' Telstra made public and then tried to hide again because of hacker fears

Photo: Frank Connor – © 2014 – Universal Pictures via IMDb.

Telstra has found out the hard way that secrets, once exposed to the scrutiny of the public eye, are difficult to cloak in a blanket of confidentiality again.

Australia’s biggest telco itself was responsible for releasing in Federal Court hearings — part of a larger case in which Telstra is accused of infringing on patents — information about its own systems it later said made it more vulnerable to hackers.

Sometime after the information was released into the wild, someone at Telstra decided there was a cyber risk and a legal bid was launched to try to have the data suppressed.

The idea of data security apparently hadn’t spread to all corners of the Telstra machine. Evidence was given that Telstra’s legal team hadn’t known the organisation even had an information security team.

Telstra then tried but failed in the Federal Court to suppress the data about its systems that the telco itself made public more than two years ago.

Submissions to Australian courts are done so in public, and become a public record, unless there is a specific order to suppress made by a judge.

The act of trying to suppress the data, nine months after it was disclosed in open court, highlighted the existence of information.

In question also is the logic of trying to make something secret when it was already in the public domain and had been for months. If damage was to be done, then it had many months to find its mark.

As Australia’s biggest telco, Telstra is naturally sensitive to security issues, about protecting its network and ensuring the privacy of its customer data.

The telco repels cyber attacks daily. Sometimes they get through, like in 2015 when internal corporate network Pacnet was compromised.

Telstra bills itself as a cyber security expert but in the past has had some problems with keeping its customer data safe and late last year it was revealed that overseas companies are selling the personal data of Optus, Telstra and Vodafone customers to anyone willing to pay.

And now Telstra, according to its own testimony in court, itself dropped a hefty weight of information, which it later retrospectively labelled as a threat to security, in Federal Court hearings between December 8, 2014, and March 12, 2015 in the form of affidavits, a systems flowchart and written submissions.

There is no suggestion that this is data relating to customers. The information is more about the systems in place and the workflow surrounding Telstra’s mobile eCommerce platform.

The key document is a workflow chart, said by Telstra to bring together all the pieces of the confidential information. The chart traces the flow of subscribing to MOG, Telstra’s now defunct music subscription service. Here it is:

At the time the information was submitted to and discussed in open court there was no suggestion that this was confidential or in any way a danger to the telco’s operations.

The suppression issue is part of a larger case, a long running one about to come to a head over the next 12 months or so, alleging that Telstra’s mobile eCommerce platform has been infringing a British inventor’s patents for many years.

Already Telstra’s legal costs since 2013, described in court as making most legal counsel’s eyes water, have passed the $2 million mark, according to court papers.

Millions of dollars at stake

And at stake is tens, perhaps hundreds, of millions of dollars for past and future use of patents held by now Thailand-based Simon Joyce. He is chairman of Upaid Systems, which he founded in 1997, and his company has brought the legal action against Telstra.

The case relates to a range of transactions Telstra customers carry out while roaming.

The technology claimed by Upaid allows mobile phone users to conduct business with a large number of merchants over many networks, rather than being tied to one telecommunications provider, which was a constraint in the early days of mobile transactions.

Telstra has rejected Upaid’s claims and tried, but failed, to have the case thrown out of court.

It was during hearings to dismiss that Telstra submitted affidavits to the court describing its various systems, including those relevant to Upaid’s case.

The documents described the process of purchasing a premium MOG subscription, Telstra’s music subscription service which closed in August 2015.

The information that Telstra tried, in hindsight, to suppress is broader than this and could also have implications for other products. The judge, Justice David Yates, rejected this application.

Legal sources say it is highly unusual to see an application to suppress court transcripts as well as documents submitted to a court some time in the past.

Telstra also tried to suppress a judge’s published reasons for rejecting an application because, it claimed, parts were confidential.

The judge said: “I find it hard to think that Telstra was not conscious of potential confidentiality concerns at the time that it filed its first round of affidavits.”

The stakes for Telstra are a little clouded but an indication was given by Mike Burgess, Telstra’s then, but now former, chief information security officer, in October 2015.

Cyber threat

In an affidavit submitted to court, he said the material, whose disclosure was sought to be suppressed, was of a kind that could be misused by “miscreants” for the purposes of damaging Telstra.

He stressed that he didn’t wish to suggest that disclosure of this material would certainly lead to a cyber threat. However, the security of Telstra’s systems would be “enhanced” if the material was suppressed.

During the hearings, it became clear that Telstra itself didn’t have procedures of its own to keep confidential the information it was trying to suppress in court.

And there appears to be some dispute within Telstra’s corridors.

Evidence was given that Ben Crosby, then Telstra’s director of technology, advised that the process of purchasing a premium MOG subscription using an internet browser on a Telstra mobile device was “not confidential”.

The hearings also identified a flaw in knowledge about internal security at Telstra by its own legal team.

Rachel Delaney, Telstra’s legal counsel, intellectual property, gave evidence that in March 2015 she “became aware” of Telstra’s information security team.

What security team?

The judge said this suggested that Delaney and others employed in Telstra legal services were unaware that Telstra had an information security team.

Apparently, the judge concluded, there was no system or arrangement in place within Telstra itself that prevented the disclosure of the information by Telstra’s employees, suppliers, contractors or consultants.

“If there is no evidence that Telstra itself has a system or arrangement in place to protect the alleged confidentiality of the information in question, why should the court be prevailed upon to put such a system in place or make such an arrangement for the purposes of this proceeding?” the judge said.

“Why is a suppression order necessary when Telstra itself does not appear to recognise, through its own procedures, the same necessity?

“The security concerns it has advanced in this application appear to be security concerns it tolerates and manages in its own commercial activities.”

The judge lifted an interim suppression order.

We asked Telstra whether it still believed the information made it vulnerable to cyber attack. It replied:

“Telstra takes its responsibility to securely manage corporate and customer information very seriously. The limited information available, which largely relates to a product that is no longer in use (MOG), does not pose a risk to our business.

“We constantly review and update our internal processes and procedures to improve the security of our information in a changing environment.

“While the matter is still before the courts we cannot comment further.”

NOW WATCH: Briefing videos

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.