Telstra has been fined $1.5 million by the Australian Communications and Media Authority (ACMA) for failing to adequately protect its customers from scams and fraud. 

The penalty comes in response to Telstra's non-compliance with new regulations that mandate multi-factor authentication (MFA) for critical transactions, including password resets and SIM card swaps.

An ACMA investigation has revealed that between August 2022 and April 2023, Telstra neglected to authenticate customer identities during 168,000 high-risk interactions. 

These lapses left more than 7,000 customers vulnerable to fraud, breaching the rules introduced by ACMA in 2022 which require telecommunications companies to implement MFA to safeguard against such risks.

Authority member Samantha Yorke said; “It is unacceptable that Telstra did not have proper systems in place when the rules came into force. SIM-swap scams can be particularly devastating as victims can lose life savings as well as control of their phone number and other personal information." Yorke noted that victims of mobile fraud typically lost an average of $28,000.

Adding to Telstra's regulatory troubles, the company has been ordered by ACMA to rectify an error that exposed the details of over 140,000 customers who had paid to keep their numbers unlisted. This breach occurred over a decade and involved the publication of these customers' information.

In response to the ACMA findings and the fine, a Telstra spokesperson expressed support for the regulations aimed at enhancing customer security. 

The spokesperson explained that the company was committed to ensuring the MFA processes were robust, which contributed to missing the initial compliance deadline. 

Despite the breaches, ACMA did not find direct evidence of financial losses resulting from these incidents. 

However, Telstra has agreed to a two-year undertaking with ACMA to address and rectify these breaches for future transactions. 

This agreement is enforceable by the court if Telstra fails to comply.