Telstra has been hit with a hefty $551,000 penalty for failing to implement required customer ID authentication processes, leaving thousands of Australians vulnerable to SIM-swap scams and other types of mobile fraud.

An investigation by the Australian Communications and Media Authority (ACMA) found that between August 2022 and April 2023, Telstra failed to use the required ID authentication processes for 168,000 high-risk customer interactions. These interactions included SIM-swap requests and password resets, with over 7,000 interactions for customers identified as being in vulnerable circumstances.

"When the ACMA made these rules in mid-2022 we identified that victims of mobile fraud lose $28,000 on average," said ACMA Authority Member Samantha Yorke. The average loss for victims of mobile fraud is a staggering $28,000.

"While there is no direct evidence anyone suffered losses because of these breaches, customers need to be able to trust that their telcos are protecting their accounts from fraud," Yorke added. The impact of SIM-swap scams can be devastating, with victims potentially losing life savings as well as control of their phone number and other personal information. "SIM-swap scams can be particularly devastating as victims can lose life savings as well as control of their phone number and other personal information," Yorke warned.

The customer ID authentication rules introduced in 2022 require telcos to use multi-factor ID authentication before allowing transactions that may compromise a person's account. "It is unacceptable that Telstra did not have proper systems in place when the rules came into force," Yorke stated.

In addition to the financial penalty, the ACMA has accepted a two-year court-enforceable undertaking from Telstra, committing it to appoint an independent consultant to review its compliance with the customer ID rules and to make improvements where needed.