Telstra bosses say they welcome a review of how much data the telco is required to keep on customers, with chair John Mullen and CEO Vicki Brady both finding it to be overkill.

Mullen told shareholders at the company’s annual meeting yesterday that Telstra kept the required 100 points of ID “largely for legal reasons” and that, under the current laws, a breach like the Optus hack, could happen to anyone.

“Let me be blunt and say that it’s very easy to be critical when it isn’t you in the firing line,” he told shareholders, “and we should all avoid hubris because no one can afford to be complacent.”

Under the current laws, telcos are required to retain data used for ID purposes while a customer account is active, and for two years after it is closed.

Regarding Telstra’s own breach, in which info about 30,000 current and former employees was posted online, Mullen said it was a third-party breach and both him and Brady’s data had been exposed.

“The pegasus breach that happened was not actually Telstra – it was a third party provider with some data people could get from anywhere,” he said, comparing it to handing personal details to a tradesman.

“Unfortunately, every one of us are exposed to that every day, and so the ability for us to say unequivocally you will never have an issue, we just can’t do that.

“We can never give 100 per cent guarantees. It’s just not possible.”

CEO Vicki Brady addressed the telco’s views on keeping data in a blog post titled: “Why we retain customer ID data, and our view on where to from here”

In the post, published yesterday afternoon, Brady wrote:

“At the moment a range of laws and codes are geared towards us retaining our customers’ ID data, and as a result our systems are set up to do so.”

Brady noted the Federal Government is looking at changes in this space, adding “we’re supportive of a review.”

“The requirements to retain this data made sense at the time they were created, and have helped combat fraud and help other law enforcement activities,” she wrote.

“With more recent advances in multi-factor authentication for ID purposes, and initiatives like the Trusted Digital Identity Framework on the horizon, we absolutely agree it’s time these rules were looked at.

“We want to make our principles on retaining customer ID data clear: once we know who you are, and we have an ongoing way of verifying who are you are (eg through biometrics like face ID or fingerprints that you control), there should be very few reasons to retain your ID data.”