[AusNOG] ITNEWS: Telstra retail staff caught cancelling ISP orders

Skeeve Stevens skeeve+ausnog at eintellegonetworks.com
Sat Jun 22 10:02:58 EST 2013 

I am surprised I've seen no discussion on this on the list.  Anyone here
been affected?

...Skeeve


From:
http://www.itnews.com.au/News/347550,telstra-retail-staff-caught-cancelling-isp-orders.aspx

Casts doubt on telco's NBN data protection abilities.

Telstra's retail staff have been discovered withdrawing new service orders
lodged by some of Australia's internet service providers.

The misuse of supposedly confidential data between Telstra's wholesale and
retail business units is contained in a compliance report tabled in
Parliament. (pdf<http://transition.accc.gov.au/content/item.phtml?itemId=1109953&nodeId=3210cd6da1ca03f5d803313f86c9f3cb&fn=Telstra's%20compliance%20with%20the%20Structural%20Separation%20Undertaking.pdf>
)

The case cited is not isolated. The report also details how Telstra flags
accounts with non-Telstra services as "conversion opportunities" — though
Telstra disputes the extent of "unfair commercial advantage" this might
confer.

The disclosures give credence to efforts by NBN
Co<http://www.itnews.com.au/News/346890,nbn-co-sinks-telstras-nbn-info-sharing-plan.aspx>
, Optus, iiNet and
others<http://www.itnews.com.au/News/346674,iinet-optus-reject-telstras-revised-nbn-infosec-plan.aspx>
to
ensure confidential NBN data disclosed to Telstra Wholesale can't be
similarly abused by Telstra Retail.

That fight has been stepped up over the past week over concerns Telstra is
trying to limit restrictions on how it can share NBN information internally.

Telstra must convince NBN Co, ISPs and ultimately the Australian
Competition and Consumer Commission that it will not use NBN data for
"anti-competitive behaviour" — a task which could prove more difficult in
light of today's disclosures.

Telstra is required to safeguard commercially-sensitive wholesale
information from its retail business units under its structural separation
commitments.

*Culling wholesale orders*

The compliance report, published by the ACCC, reveals how Telstra Retail
staff killed an average 21 new service orders lodged by ISPs each month
before the telco intervened to stop the practice last year.

The report only covers the period of 6 March 2012 to June 30 2012. It is
unclear how long such practices have existed.

"As part of the activation process, employees contact Wholesale Customer
end-users to confirm details such as connection address and whether a
lead-in has been installed," the report stated.

"There have been limited instances of employees cancelling Wholesale
Customer orders at the direction of the Wholesale Customer's end-user,
believing they are fulfilling the customer's wishes."

One situation in which this might have occurred is for end-users that had
retail relationships with Telstra and with an ISP that happened to be a
reseller of Telstra lines.

"A shared end-user could potentially contact Telstra Retail to cancel their
services, including a pending wholesale order, because the end-user had
decided to use mobile instead of fixed-line services, or because their
business was closing and services were no longer required," the report
noted.

But it appears not all instances might have involved an end-user with
shared retail relationships. The report did not specify but raised the
possibility that end-users without Telstra Retail relationships also got
caught out.

Instances where Telstra Retail staff cancelled pending wholesale orders
were "in breach of company policy and against training/instructions to
staff", the report noted.

Telstra "removed the ability for Telstra retail staff to withdraw wholesale
LSS <http://whirlpool.net.au/wiki/lss>orders in August 2012". Line Sharing
Service is the wholesale product used by ISPs to provide ADSL2+ using their
own DSLAM equipment.

A further "system fix" was made in November 2012 "to remove the ability of
Telstra Retail staff to withdraw any wholesale orders and modify most
wholesale orders, with further IT changes planned to restrict the ability
to modify wholesale orders".

Telstra had also moved to "reinstate orders that were incorrectly
withdrawn". Telstra staff that killed the orders were "provided with
further training/coaching to avert recurrence".

However, it appeared to take a specific request by the ACCC for Telstra to
advise affected wholesale customers — i.e. ISPs — how withdrawn orders
could be reinstated.

*'Conversion opportunities'*

Investigations by the ACCC also revealed how Telstra allegedly notified its
Retail staff there were non-Telstra services on a particular copper line.

The user's account would be tagged 'NON-TEL' in ordering and provisioning
systems. Another system used for sales transactions displayed 'conversion
opportunity' messages where an end-user acquired one or more non-Telstra
services.

Telstra's retail sales consultants were then allegedly given guidance on
whether the end-user had "agreed to be told information about Telstra
products", meaning attempts could be made to convert them.

"Despite Telstra's guidelines, Telstra cannot rule out the possibility of
some Retail Business Unit staff disregarding the guidelines and using the
'NON-TEL' indicator and [conversion] messages to gain or exploit an unfair
commercial advantage," the ACCC noted.

Telstra argued the system indicators "do not prompt Retail Business Unit
staff to engage in activities that would provide any unfair commercial
advantage to a Retail Business Unit, or be likely to do so".

The carrier also said it hadn't uncovered "any widespread or systemic use"
of wholesale data by Telstra Retail to gain an unfair advantage.

But the ACCC argued the mere existence of the capability put Telstra in
breach of its structural separation obligations.

*Other breakdowns*

The report identified several other information security breakdowns between
Telstra's wholesale and retail business units.

"Human error" was blamed for an instance where service migration data from
Telstra's South Brisbane exchange relocation project found its way into the
hands of retail staff, courtesy of a daily report sent out to the
"cross-company project team" running the work.

Retail staff had also been able to interrogate wholesale data kept in a
data warehouse and in billing systems. Those staff had since had their
system privileges revoked.

The ACCC said it was continuing to investigate the breaches uncovered.

"While it is of concern that these breaches have occurred, the fact that
these matters are now coming to light and are being addressed shows that
the SSU is working," ACCC Chairman Rod Sims said.

A Telstra spokesman noted the issues were from "2011-12" and were
"self-reported by Telstra".

"Importantly there's nothing to suggest we gained any unfair commercial
advantage as a result," the spokesman said.

"We're addressing all of the issues identified through a comprehensive IT
program to remediate the relevant systems."

Copyright © iTnews.com.au <http://www.itnews.com.au/> . All rights reserved.


...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
skeeve at eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  <http://twitter.com/networkceoau>
linkedin.com/in/skeeve

twitter.com/networkceoau ; blog: www.network-ceo.net


The Experts Who The Experts Call
Juniper - Cisco - Cloud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130622/c4386fd3/attachment.html>

More information about the AusNOG mailing list