Dan – Michmutters
Categories
Business

Phone company Circles. Life fined $300k by telco regulator over customer breaches

A telco company has been slapped with a $300,000 fine because it exposed nearly 2000 Australians to potential scammers.

Circles Australia Pty Limited, trading as Circles.Life, must pay a $199,800 infringement notice as well as $100,000 in compensation to fraud victims.

On Tuesday morning, the telco regulator, the Australian Communications and Media Authority’s (ACMA), announced the hefty costs.

Circles.Life breached the rules for phone number transfers a whopping 1,787 times when it sold SIM cards in retail stores between August and December 2021, according to the regulator.

The phone company was found to have failed to properly check the identity of purchasers, which meant cyber criminals then “took advantage of these lapses”.

As a result, 42 consumers experienced “fraud-related issues” which included their email and bank accounts being breached.

Of those, at least seven lost money to scammers.

The costly penalty is part of the ACMA’s broader crackdown on the telco industry, after implementing sweeping changes last month to combat phone scams which are on the rise.

The phone company should have adhered to multi-factor identification rules, according to ACMA Chair Nerida O’Loughlin.

“It is deeply concerning that Circles.Life did not have proper processes in place for such a long period and that so many people were affected or put at risk of identity theft and fraud,” she said.

“Combating these types of scams requires concerted action by all telcos and one weak link exposes all consumers to harm.

“It is the customers of other telcos who have fallen victim in this case by having their number transferred to Circles.Life without their knowledge.”

The ACMA also added that while the breaches should not have occurred, Circles.Life “responded quickly” when they realized the extent of the problem.

News.com.au has contacted Circles.Life for comment.

In a statement, the company said it had protocols in place for a one-time password verification for online port-ins, but the same rules didn’t apply for SIMs purchased at brick and mortar stores.

In April, the ACMA announced that phone companies will need stronger customer identity checks for “high-risk transactions” like SIM swaps, account changes or switching providers.

The new requirements, called the Telecommunications Service Provider (Customer Identity Authentication) Determination 2022, came into effect on June 30.

Since then, telcos must use multi-factor authentication of their customers’ identities such as confirming personal information and responding with a one-time code, similar to how banks operate. Before the changes, telcos mostly only required a customer’s name, phone number, date of birth and address to authorize a change.

The ACMA warned that noncompliance can lead to “strong action” including “pursuit of significant civil penalties” like in the case of Circles.Life and also potential Federal Court proceedings.

News.com.au has extensively reported on a particularly ominous phone scam known as a SIM swap hack in the past.

A SIM swap hack is when a cyber criminal ports – or re-routes – the victim’s mobile number onto their own phone, allowing them to intercept text messages and reset passwords to things like bank accounts.

In many cases, scammers were able to do so by impersonating the customer to their telco provider, then convincing the company to switch the SIM card over to an eSIM card.

Often the scammers will transfer the phone number to another provider to make it harder for victims to regain control of their account.

News.com.au reported on a Sydney man waking up to find $52,000 stolen from him by SIM hackers, while an Adelaide schoolteacher lost her entire life savings, $43,000, from a similar order.

Between 1 January and 30 September last year, there were at least 510 incidents of reported SIM swaps, resulting in 163 cases of financial loss, according to the ACMA.

These losses amounted to $4.68 million, with the largest single reported loss being $463,782.

Have a similar story? Get-in-touch | [email protected]

.