A big little Telstra privacy breach

Update @ 23:00 ADST – Jan 21

It’s been a pretty huge day! You can continue reading this adventure in my new post; A continuing little Telstra privacy breach.

Update @ 21:00 ADST – Jan 20

Boy has this been an exciting afternoon. The official word from Telstra is “shut up and wait”. After a lengthy chat session that was escalated part-way through, I’ve been told my only option is to disable Visual Voicemail, wait for a case manager to call (24-48 hours) and wait for the other device’s owner to go to a store. So much for “hey, we’ve totally destroyed your privacy, here’s how we’re bending over backwards to help you”.

Update @ 19:00 ADST – Jan 20

Telstra’s Visual Voicemail reset is complete and (as advised) all of my old messages have been deleted. I have since done the following:

  • I asked my wife to call my number and leave a voicemail.
  • I asked the owner of my old device to reboot their phone.
  • They sent a message after the reboot not only telling me the message arrived, but repeating its contents.

Meanwhile, the email Allen said he would send with his contact link has never arrived. Telstra have also tweeted to say:

…voicemail is linked to your SIM Card, not your device, did you ensure to remove the SIM?

My SIM is now in my iPhone 6S here with me and wasn’t sent with the phone. Back to 24×7 Chat we go.

Original post @ 16:00 ADST – Jan 20

In late 2015 I performed a factory-reset on an old Apple iPhone 5 and sold it. It’s the same process I’ve done a number of times in the past (yeah, I know, I’m a gadget junkie) and before handing it over I ensured there was absolutely nothing of mine left on the device and the SIM was removed. A few hours ago the new owner let me know that they’re receiving a copy of my (visual) voicemails on the device and repeated contents and sent a screenshot of the messages to confirm it. YIKES!

Here’s what we could establish:

  • We’re both Telstra customers.
  • Messages aren’t received in realtime, only when the phone is powered up.
  • My own device and visual voicemail works as it should.
  • If the user misses a call and the caller doesn’t leave a message, the user receives the standard missed-call TXT notification.
  • If the caller leaves a message, the user has no notification at all – no visual voicemail (it only shows mine), no TXT notification.
  • If the user calls 101, Telstra’s messagebank service, they can access their voice messages.
  • They listened to some of my messages trying to work out who the unknown callers were – they were understandably confused!

Let me be clear here – no matter what the cause is, this is a significant breach of privacy. Could you imagine a law firm or other privacy-critical service (medical practice, government department, school etc.) turning over a fleet of phones? The thought is terrifying. But let’s stick to the facts!

After a tweet and a facebook post I was steered to Telstra’s 24×7 Chat service where Allen straight up told me:

…that’s impossible. Since the only way that the old iPhone can be sync with your new phone is if they’re using the same Apple ID.

and

Since you don’t have the device with you personally we can’t really test if this is actually happening.

Allen’s suggestion was to then deactivate and reactivate visual voicemail which will take between 4-8 hours. In the meantime I have lodged a complaint which I have been told will be followed up by a manager. I was given two reference numbers, one for the support case, one for the complaint and then sent on my way. That is, with one final comment from Allen:

I guarantee to you that this is a rare case and maybe the first.

Well, lucky me, I guess!

After chatting to a friend in a different part of Telstra (and receiving a similar suggestion on twitter) we are hypothesising that the device’s IMEI is used to authenticate with voicemail during its boot sequence. That’s all we’ve got for now!

I’ll update this post as soon as I can.

1 Comments

  1. I think is a very interesting, and frustrating, case. I hate most of tech support services in Europe too. I’m following your problem’s updates and the IMEI thing have taken my attention.

    Moral support from Spain!

    Reply

Leave a Comment.