Ooredoo data breach brings legal action

An Ooredoo Myanmar employee that gave out a customer’s call log has been fired, with the company still pursuing legal action through Mandalay police.

The June breach involves an Ooredoo customer in Yangon, her male business associate, an intermediary contact and the former Ooredoo Myanmar employee.

The Mandalay office employee passed the Yangon customer’s call log on to a friend – breaching her employment contract and Ooredoo’s employee code of conduct, said the firm’s senior public relations manager Ma Thiri Kyar Nyo.

The friend then gave it to the customer’s business associate.

“Our ex-employee gave her friend … that list and then this gentleman used it against our customer,” Ma Thiri Kyar Nyo said.

The former employee, who worked in Ooredoo’s Mandalay office in the customer experience department, had access to the firm’s customer relationship management system – and therefore to call logs, according to Ma Thiri Kyar Nyo.

Customer “champions” answer to Ooredoo users that want their bill clarified. The company has a verification process for when customers call in, which has since been tightened, Ma Thiri Kyar Nyo said.

“This has never happened before and it will not be repeated,” she said. “We have taken action and are still taking action against our ex-employee. We are keeping in touch with our customer [through her lawyer], who is obviously very upset.”

The company casts the situation as a singular, unfortunate event.

“This is like in a shopping mall. A cashier can use the cash in their rawer for personal use,” she said. “Customer service champions shouldn’t misuse this access.”

Ma Thiri Kyar Nyo said she did not know why the employee shared the information, and that the person was fired on July 3.

Rumours that a voice file or pictures were leaked are untrue, she said.

Ma Thiri Kyar Nyo said that the Ooredoo customer is not currently pursuing legal action against the firm, and that the company is moving against its ex-employee.

“A lot of media have asked how we are settling,” she said. “Settling everything in terms of money is not the right way.”

“We should settle these kinds of things legally, in an appropriate way.”

As a telecommunications provider in Myanmar, Ooredoo has set up processes for sharing customer information at the request of the sector regulator, the Posts and Telecommunications Department (PTD) under the Ministry of Information and Communications Technology (MICT).

“The police have to let the PTD know what they are looking for, and then the regulatory team will have first filter – is this concerning human trafficking, drugs, terrorism, [homicide] or national security,” Ma Thiri Kyar Nyo said. “Then operators will check with our own standards.”

Earlier this year, Ooredoo said it had complied with two to three requests. No further requests have been made since then, according to Ma Thiri Kyar Nyo.

Data privacy remains relatively unexplored territory in Myanmar.

A draft telecommunications masterplan from MCIT said that matters around data privacy are outside the sector’s jurisdiction and will be handled elsewhere in the government as a universal issue.

The country’s 2013 telecoms law empowers the Union government to pursue confidential user information under certain circumstances, but also demands fundamental rights of citizens are respected, as previously reported in The Myanmar Times.

However, Myanmar’s 2008 constitution guarantees protection for “the privacy and security of home, property, correspondence and other communications of citizens under the law”, subject to its provisions.

Source: Myanmar Times

NB: The best way to find information on this website is to key in your search terms into the Search Box in the top right corner of this web page. E.g. of search terms would be “property research report”, ”condominium law”, “Puma Energy”, “MOGE”, “yangon new town”,”MECTEL”, “hydropower”, etc.

 Opportunities from COVID19


Looking for foreign investors to invest in your business in Myanmar