Telco Lycamobile Pty Ltd has paid a $376,200 penalty after it failed to adequately carry out identity verification checks when transferring mobile phone services from other providers, which led to reported consumer losses of at least $175,000.
An Australian Communications and Media Authority (ACMA) investigation found Lycamobile breached anti-scam rules on 131 occasions between September and December 2024 after scammers exploited weaknesses in its systems.
ACMA Chair Nerida O'Loughlin said when scammers hijack a mobile number it's not only dollars that can be lost, you can lose control of your entire digital identity.
"Your phone is often the key to your banking, health records and other personal information. When that key is stolen, everything can feel unsafe.
"It is deeply concerning that criminals were able to exploit gaps in Lycamobile's systems for over three months without detection and as a result, people suffered financial losses and identity theft.
"These rules are only as strong as the weakest link in the chain, when one telco's processes are not robust, consumers with other telcos are at risk," Ms O'Loughlin said.
The ACMA has also accepted an 18-month court-enforceable undertaking from Lycamobile to appoint an independent consultant to review its security arrangements, make improvements where recommended and report regularly to the ACMA.
The ACMA is actively monitoring industry compliance with fraud prevention obligations and will take strong enforcement action if we find non-compliance.
"This is the fifth time this year the ACMA has found breaches of these rules and all telcos are on notice that their ID verification systems must not have vulnerabilities that scammers can target," Ms O'Loughlin said.
The Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020 sets out rules requiring telcos to verify the identity of people wanting to transfer their numbers to a new provider before a transfer is completed.
Businesses have paid more than $4.8 million for breaches of this standard in the last 12 months.
Consumers should contact their telco and financial institution immediately if they think they have been a victim of a phone scam. It also helps other Australians by reporting scams to Scamwatch.
IDCARE can help people whose identity has been compromised or stolen on 1800 595 160 or at https://www.idcare.org/. Support is also available from Lifeline (13 11 14) or Beyond Blue (1300 224 636).
