Telstra's structural separation undertaking

Telstra has completed a wide-ranging program to remediate information security issues that it had identified in a number of its legacy IT systems.

Following commencement of the SSU, Telstra reported a series of information security issues under its mandatory compliance obligations. These issues related to its SSU commitment to ensure that protected information is not disclosed to Telstra’s retail businesses – including confidential or commercially sensitive wholesale customer information provided to Telstra in its capacity as access provider of regulated services.

The ACCC engaged Ovum as an independent expert consultant to conduct a thorough review of the remediation project after Telstra advised it had remediated its IT systems in early 2015.

Ovum initially reviewed a sample of IT systems that Telstra had remediated as part of its IT systems remediation project. Ovum was satisfied with the inquiries it was able to make into these systems. However, it identified some minor remaining information security issues within some of the sampled systems.

This led to Telstra subsequently conducting a further ‘due diligence’ review of its remediation project. This review adopted a more rigorous approach to testing the IT systems and identified a small number of additional issues to be remediated.

In February 2016, Ovum concluded that, despite the emergence of a small number of outstanding issues, Telstra’s approach to remediation was appropriate considering the project’s scale. The executive summary to Ovum’s report is available below.

Telstra has since advised that it has completed all tasks associated with the remediation project.

The ACCC is satisfied that Telstra’s SSU reporting measures can be relied on to identify any further information security issues, should they arise.