ACMA, the Australian Communications and Media Authority, has issued formal notices to three telcos after discovering the fact that each of them did not validate customer details when moving between carriers, therefore leaving them vulnerable to different types of cyberattacks.

One of the telcos caught in the wrong was Medion Mobile, an organization that powers Aldi Mobile and is owned by Lenovo. Medios Mobile was caught on 53 occasions whilst Telstra breached its obligations 52 times, and Optus was pinged for just one violation.

Historically it has been too easy to transfer phone numbers from one telco to another. All a scammer needed to hijack a mobile number and access personal information like bank details was a name, address, and date of birth.

We are cracking down on telcos that don’t follow the rules and leave customers vulnerable to identity theft.


The Australian Communications and Media Authority said that those who experienced mobile number fraud typically lost more than AU$10,000, and have struggled to “regain control of their identities for long periods of time”.

Since the new rules meant to be used on validating customer information came into effect the practice has stopped.

ACMA posted on its official page instructions that can be followed by any person who believes they have fallen victim to such a breach:

If you think someone has stolen your mobile number, contact your telco immediately. Ask whether someone ported your number without your consent. If they did, ask your telco to reverse the port.

  • If someone made a SIM swap (has a SIM card with your number), ask your telco to deactivate the SIM card and send you a new SIM card.
  • Make sure you also:
  • contact your bank or financial institution straight away and tell them someone might be committing fraud;
  • consider changing your passwords for accounts such as for your bank, email and social media;
  • report any fraud to the local police or the Australian Federal Police;
  • report any cybercrime relating to identity theft and online fraud to the Australian Cyber Security Centre;
  • contact IDCARE on 1800 595 160 if you want help with identity crime or cybersecurity;
  • report the activity to Scamwatch.


ACMA warned that further violations could see an AU$250,000 fine per breach, with the most recent example being the fine paid by Lycamobile.

Earlier this month LycaMobile had to pay an AU$600,000 fine after ACMA found what it called to be a “prolonged and large-scale customer data failures, which could have put people in danger”.

In the investigation conducted ACMA found 245,902 instances in which the telco failed to pass on information to Telstra, therefore the Integrated Public Numbers Database (IPND) used by emergency services when responding to 000 calls and the Emergency Alert Service, were not integrated properly.

There were found 5,671 instances in which Lycamobile did not upload data to the IPND for “between three days and nine years” after gaining a customer, whilst not completely and accurately uploading the information belonging to 240,231 customers.

50 Local Australian Government Systems Found to Have Significant Digital Weaknesses

Over 55 Million Scam Calls Since December Were Blocked by Australian Telcos 

Four IT Applications in Western Australia Are Having Control Weaknesses

Leave a Reply

Your email address will not be published. Required fields are marked *