the personal details of millions of Vodafone customers, including their names, home addresses, driver's licence numbers and credit card details, have been publicly available on the internet in what is being described as an "unbelievable" lapse in security by the mobile phone giant.Just another example of large-scale data loss, in a regulatory environment that features no meaningful penalties for poor practice on the part of data custodians?
The newspaper goes on to state that it -
is aware of criminal groups paying for the private information of some Vodafone customers to stand over them.The Sunday Age explains that -
Other people have apparently obtained logins to check their spouses' communications.
Personal details, accessible from any computer because they are kept on an internet site rather than on Vodafone's internal system, include which numbers a person has dialled or texted, plus from where and when.Well, he would say that, wouldn't he.
The full extent of the privacy breach is unknown but ... possibly thousands of people have logins that can be passed around and used by anyone to gain full access to the accounts of about 4 million Vodafone customers.
Professor Michael Fraser, the head of the Australian Communications Law Centre at the University of Technology, Sydney, said that it appeared to be a major breach of the company's privacy obligations and "unbelievably slack security".
"The fact you can look up anybody as easily as that seems to be a gross breach of privacy and resulting in an almost negligent exposure to criminal activity," said Professor Fraser, who also heads the Australian Communications Consumer Action Network.
A spokesman for Vodafone said yesterday the company had ordered an immediate investigation and review of security procedures. "Customer information is accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password," he said.
"Any unauthorised access to the portal will be taken very seriously, and would constitute a breach of employment or dealer agreement and possibly a criminal offence."
"We will be conducting a thorough investigation of the matter with our internal security experts and will refer the matter to the Australian Federal Police if appropriate."
He said all passwords would be reset, and training and other procedures would be reviewed.
A post on the Vodafone site by Cormac Hodgkinson, Director of Customer Service and Experience, reads -
Vodafone customer data securityThat reassurance is problematical, given indications that a large number of Vodafone employees and dealers have access and that access is being misused. Exactitude about 'publicly available' look disingenuous if passwords are being passed around, sold or gifted to mates (and thence to mates of mates).
You may have seen recent media reports in relation to customer information – please be assured that Vodafone takes customer information and data security extremely seriously. Customer information is not 'publicly available on the internet'. Customer information is stored on Vodafone's internal systems and accessed via a secure web portal, accessible to authorised employees and dealers via a secure login and password.
Yours sincerely
The Sunday Age comments that -
Because the customer database is not an intranet (internal company system) and instead on the internet, users with a password can log in to the portal from anywhere, then access any customer's information.What is the response from the Office of the Information Commission, the new agency that includes the national Privacy Commissioner. Regrettably, it's same old, same old. The Sunday Age reports that -
Vodafone retailers have said each store has a user name and password for the system. That access is shared by staff and every three months it is changed. Other mobile dealers who sell Vodafone products also get full access to the database.
Anyone with full access can look up a customer's bills and make changes to accounts. Limited access allows searching by name, which takes much longer and is more involved but can be just as effective when done correctly. "It's scary stuff in the wrong hands"
Australian Privacy Commissioner Timothy Pilgrim said all organisations should take appropriate steps to secure the personal information of their customers or they risked breaching the Privacy Act.The prospect of complaints to the Privacy Commissioner is underwhelming, given that entity's historic reluctance to take on major offenders, failure to publicly shame behaviour such as that noted here and questions about its policy analysis (eg the alarming PID 11 and 11A highlighted in Privacy Law Bulletin last year, that authorise large-scale - and ineffective - genetic fishing expeditions.)
"If an individual believes their privacy has been interfered with they should first contact the organisation responsible and if they are not satisfied with their response they can make a complaint to our office," Mr Pilgrim said.
He has backed the federal government's intention to give his office extra powers to impose penalties should he find a breach of the act.
Given what appears the scale of the data exposure and the possibility that some of Vodafone's competitors use similar systems (that may also have been compromised, to use another delightful bureaucratic euphemism) it would be appropriate for the Privacy Commissioner to initiate an own-motion investigation rather than waiting for the complaints to flood in or rather wanly complaining, yet again, that he needs more resources and more power. Public shaming - pungent, timely, pertinent - is a key mechanism for agencies ... a mechanism that offsets perceptions that agencies have experienced regulatory capture. The federal Commissioner would do well to adopt the forward-looking, positive and articulate approach taken by the Victorian Commissioner (OVPC).
It would also be appropriate for investigation by ACMA, the national telecommunications regulator. The co-regulatory scheme for telecommunications is founded on industry responsibility. In practice, both major telcos and the telco minnows have behaved - and continue to behave - in ways that call co-regulation into question.