Telstra and Optus investigated by ACMA for public safety failures

It’s been a bad week for Australia’s two biggest telcos, with both Telstra and Optus receiving attention from the Australian Communications and Media Authority (ACMA) for separate incidents that put the safety of the Australian public at risk.

On the morning of 1 March, between 3:30 and 5:00 am AEDT, an as-yet-unexplained issue at Telstra’s Triple Zero call centre was found to be impacting the transfer of calls from Victoria, NSW, Tasmania, Western Australia and the ACT to emergency service operators. Telstra, as Emergency Call Person, receives all calls to Triple Zero and transfers them to the appropriate state or territory emergency service — but while calls did arrive during this period, there was no calling line identification (CLI) information included. CLI is a telephone network signalling capacity that identifies the calling party’s telephone number.

“Without that CLI information to transfer calls to emergency services operators in an automated way, our Triple Zero teams had to manually transfer each call onwards,” wrote Jane Elkington, Telstra’s Group Manager, Emergency Service Answer Point and Disability Services, in a post on the Telstra website.

“We immediately implemented our backup process, with our teams taking down details which were then sent through manually to emergency services so they could call back those people who had called Triple Zero.

“We conducted a restart of the system, and from 5:00AM the Triple Zero service was running stably.”

Of the 494 calls received, 148 were not able to be manually transferred to the emergency service operators, and were instead communicated to emergency services by email. It has since been confirmed that one of those cases involved a person who suffered a cardiac arrest, who subsequently passed away.

While Elkington said that Telstra has committed to a “swift and forensic” investigation into what went wrong, as well as any improvements that can be made to the backup processes, CEO Vicki Brady has so far only been able to confirm that the incident — which she described as the worst failure of the system that she was aware of — was not caused by a hack and that the backup system for CLI did not work as intended. The Australian Government is now seeking to understand the full impact of the disruption, while the ACMA has commenced an investigation into Telstra’s compliance with the Telecommunications (Emergency Call Service) Determination 2019, which requires the Emergency Call Person to transfer Triple Zero calls to the applicable emergency service organisation.

Meanwhile, Optus was this week forced to pay a $1,501,500 penalty after an ACMA investigation found the telco left close to 200,000 mobile customers (supplied under the Coles Mobile and Catch Connect brands) at risk by failing to upload required customer information to the Integrated Public Number Database (IPND) between January 2021 and September 2023. The IPND is used by critical services like the Emergency Alert service to warn Australians of disasters such as flood and bushfires, and by Triple Zero to provide location information to the police, ambulance and fire brigade in an emergency.

ACMA member Samantha Yorke said the Authority commenced its investigation after a compliance audit indicated Optus had failed to upload data via its outsourced supplier, Prvidr Pty Ltd. Yorke emphasised that all telcos “need to have systems in place that ensure they are meeting their obligations, including having robust oversight and assurance processes for third-party suppliers.

“While we are not aware of anyone being directly harmed due to the non-compliance in this case, it’s alarming that Optus placed so many customers in this position for so long,” she said.

“When emergency services are hindered, there can be very serious consequences for the safety of Australians.”

In addition to the financial penalty, the ACMA has accepted a court-enforceable undertaking from Optus that requires an independent review of its IPND compliance where it uses a third-party data provider and the implementation of any improvements recommended by the review. Optus has also been formally directed to comply with the IPND industry code. If the ACMA finds Optus fails to comply with the direction or the enforceable undertaking, it may commence proceedings in the Federal Court, which can order penalties up to $10 million per breach or make orders in relation to the undertaking.

Image credit: iStock.com/Jacob Wackerhausen