Update: We’ve received a statement from Circles.Life Australia, and the telco says it’s committed to ensuring it does not repeat its mistake. You can read the full statement from the mobile provider’s CEO below.
Circles.Life has been found in breach of Australia’s anti-scam rules, and will now pay out over AU$300,000 in penalties and compensation.
The Australian Communications and Media Authority (ACMA) found that Circles.Life left Aussies open to port scams by failing to complete the required customer identity checks, such as multi-factor identification.
This meant that by using Circles.Life SIM cards bought from retail stores, scammers were able to fraudulently port phone numbers from other telcos over to Circles.Life between August and December 2021.
“It is the customers of other telcos who have fallen victim in this case by having their number transferred to Circles.Life without their knowledge,” says the ACMA’s Chair, Nerida O’Loughlin, in a statement.
In an investigation, ACMA found 1,787 contraventions (meaning a non-criminal breach), in which a Circles.Life SIM was used for a phone number transfer late last year.
ACMA reports that as a direct result, 42 consumers became victims of fraud-related issues including compromised email accounts and being locked out of their banking accounts. Of these 42 people, at least seven experienced financial loss.
Circles.Life Australia will now pay a AU$199,800 infringement notice for the anti-scam breach, and it has also offered to pay over AU$100,000 in compensation to the people who fell victim to scams.
New port scam prevention rules
In an effort to stem the flow of mobile number fraud, ACMA introduced rules in February 2020 that requires Australian telcos to add an extra layer of identity verification when transferring a person’s phone number from one telco to another.
To ensure the individual requesting the port had physical access to the handset, the new rules require telcos to perform a two-factor authentication check by sending a four-digit code to the number being ported.
“Since the rules were introduced by the ACMA in 2020, there has been a significant drop in mobile fraud reported to banks and government agencies,” says O’Loughlin.
“It is deeply concerning that Circles.Life did not have proper processes in place for such a long period and that so many people were affected or put at risk of identity theft and fraud,” she said.
While O’Loughlin says the breaches should never have happened, she says that Circles.Life responded quickly once it was aware of the loophole that was exposing Aussies to a potential port scam, and implemented the required identity check.
Circles.Life responds
In a statement to TechRadar, the CEO of Circles.Life Australia, Nicholas Demos, said the telco was “deeply sorry to our customers, and the industry, as we know this represents a loss of trust”.
Demos also expanded on the actions which led to the breach: “In line with the Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020, we were required to implement a one-time-password verification process for all port-ins by 30 April 2020.
“While this was done for all online port-ins, which represent the vast majority of our business, it was not done for port-ins done through our retail channels. While other verifications and security measures were in place, it represented a vulnerability in our process and breach of the Industry Standard,” he said.
“42 customers were impacted when their numbers were ported incorrectly. All 42 numbers were returned to their rightful owners some time ago and new processes and policies have been implemented to ensure that this never happens again. In fact, within 2 weeks of becoming aware of the situation we had designed, tested and deployed a fix which closed the vulnerability permanently.
“This is a first for us and we are deeply sorry to our customers, and the industry, as we know this represents a loss of trust. We have an enviable record and have established telco operations in five very different countries around the world and successfully navigated five unique regulatory landscapes with their own rules, processes and legislation. We have never made an error like this before and we’re committed to ensuring it never happens again,” he said.
