The notice followed an ACMA investigation (which involved the Australian Cyber Security Centre) that found 1,787 contraventions of industry rules for phone number transfers using Circles.Life SIMs purchased from retail stores between August and December 2021.
As a result, ACMA said, 42 consumers experienced fraud-related issues such as compromised emails accounts and loss of access to banking accounts, with at least seven of them experiencing financial losses.
In addition to paying the infringement notice, Circles.Life has offered over $100,000 in compensation to consumers who had their services compromised by scammers who took advantage of these lapses.
Circles.Life sad it "[A]ccepts the findings including that Circles contravened the Standard (and, as a consequence, the Telecommunications Act (1997)). We regret the contravention, as we are aware of its serious nature and the potential impacts on telecommunications customers."
ACMA Chair Nerida O'Loughlin said "Since the (multi-factor identification) rules were introduced by the ACMA in 2020, there has been a significant drop in mobile fraud reported to banks and government agencies.
"It is deeply concerning that Circles.Life did not have proper processes in place for such a long period and that so many people were affected or put at risk of identity theft and fraud,.
"Combatting these types of scams requires concerted action by all telcos and one weak link exposes all consumers to harm.
"It is the customers of other telcos who have fallen victim in this case by having their number transferred to Circles.Life without their knowledge."
O'Loughlin said that while the breaches should not have occurred, Circles.Life had responded quickly once it was aware of the problem. The company implemented the required identity checks, appointed regulatory staff to oversee its activities and provided some recompense to the 42 affected consumers.
"Some of the victims have experienced significant stress due to Circles.Life's failure and we are pleased to see the company is providing recompense to acknowledge the profound emotional toll and disruption often caused by these scams."
Circles.Life Australia CEO Nicholas Demos said "In line with the Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020, we were required to implement a one-time-password verification process for all port-ins by 30 April 2020. While this was done for all online port-ins, which represent the vast majority of our business, it was not done for port-ins done through our retail channels. While other verifications and security measures were in place, it represented a vulnerability in our process and breach of the Industry Standard.
"42 customers were impacted when their numbers were ported incorrectly. All 42 numbers were returned to their rightful owners some time ago and new processes and policies have been implemented to ensure that this never happens again. In fact, within 2 weeks of becoming aware of the situation we had designed, tested and deployed a fix which closed the vulnerability permanently. This is a first for us and we are deeply sorry to our customers, and the industry, as we know this represents a loss of trust. We have an enviable record and have established telco operations in five very different countries around the world and successfully navigated five unique regulatory landscapes with their own rules, processes and legislation. We have never made an error like this before and we're committed to ensuring it never happens again."
Combating SMS and identity theft phone scams is a current ACMA compliance priority.
ACMA says anyone who thinks they have been a victim of a phone scam should contact their telco and financial institution immediately.
In addition, IDCARE can help if your identity has been compromised or stolen, and can be reached at 1800 595 160 or https://www.idcare.org/ .