08-01-2011, 05:45 PM
Mobile security outrage: private details accessible on net
Natalie O'Brien, Sydney Morning Herald
January 9, 2011
THE personal details of millions of Vodafone customers, including their names, home addresses, driver's licence numbers and credit card details, have been publicly available on the internet in what is being described as an ''unbelievable'' lapse in security by the mobile phone giant.
The Sun-Herald is aware of criminal groups paying for the private information of some Vodafone customers to stand over them.
Other people have apparently obtained logins to check their spouses' communications.
Personal details, accessible from any computer because they are kept on an internet site rather than on Vodafone's internal system, include which numbers a person has dialled or texted, plus from where and when.
The full extent of the privacy breach is unknown but The Sun-Herald has learnt that possibly thousands of people have logins that can be passed around and used by anyone to gain full access to the accounts of about 4 million Vodafone customers.
Professor Michael Fraser, the head of the Australian Communications Law Centre at the University of Technology, Sydney, said that it appeared to be a major breach of the company's privacy obligations and ''unbelievably slack security''.
''The fact you can look up anybody as easily as that seems to be a gross breach of privacy and resulting in an almost negligent exposure to criminal activity,'' said Professor Fraser, who also heads the Australian Communications Consumer Action Network.
A spokesman for Vodafone said yesterday the company had ordered an immediate investigation and review of security procedures.
''Customer information is accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password,'' he said.
''Any unauthorised access to the portal will be taken very seriously, and would constitute a breach of employment or dealer agreement and possibly a criminal offence.
''We will be conducting a thorough investigation of the matter with our internal security experts and will refer the matter to the Australian Federal Police if appropriate.''
He said all passwords would be reset, and training and other procedures would be reviewed.
The revelations come as Vodafone is facing potential lawsuits and widespread customer dissatisfaction with network access.
More than 9000 customers have joined a class action and the company has set up a number of taskforces to try to fix the problems.
In this new saga for Vodafone, dealers have revealed that they are frequently asked to do ''favours'' and to pass on their login details.
Because the customer database is not an intranet (internal company system) and instead on the internet, users with a password can log in to the portal from anywhere, then access any customer's information.
Vodafone retailers have said each store has a user name and password for the system. That access is shared by staff and every three months it is changed. Other mobile dealers who sell Vodafone products also get full access to the database.
Anyone with full access can look up a customer's bills and make changes to accounts. Limited access allows searching by name, which takes much longer and is more involved but can be just as effective when done correctly. ''It's scary stuff in the wrong hands,'' one dealer told The Sun-Herald.
Australian Privacy Commissioner Timothy Pilgrim said all organisations should take appropriate steps to secure the personal information of their customers or they risked breaching the Privacy Act.
''If an individual believes their privacy has been interfered with they should first contact the organisation responsible and if they are not satisfied with their response they can make a complaint to our office,'' Mr Pilgrim said.
He has backed the federal government's intention to give his office extra powers to impose penalties should he find a breach of the act.
Natalie O'Brien, Sydney Morning Herald
January 9, 2011
THE personal details of millions of Vodafone customers, including their names, home addresses, driver's licence numbers and credit card details, have been publicly available on the internet in what is being described as an ''unbelievable'' lapse in security by the mobile phone giant.
The Sun-Herald is aware of criminal groups paying for the private information of some Vodafone customers to stand over them.
Other people have apparently obtained logins to check their spouses' communications.
Personal details, accessible from any computer because they are kept on an internet site rather than on Vodafone's internal system, include which numbers a person has dialled or texted, plus from where and when.
The full extent of the privacy breach is unknown but The Sun-Herald has learnt that possibly thousands of people have logins that can be passed around and used by anyone to gain full access to the accounts of about 4 million Vodafone customers.
Professor Michael Fraser, the head of the Australian Communications Law Centre at the University of Technology, Sydney, said that it appeared to be a major breach of the company's privacy obligations and ''unbelievably slack security''.
''The fact you can look up anybody as easily as that seems to be a gross breach of privacy and resulting in an almost negligent exposure to criminal activity,'' said Professor Fraser, who also heads the Australian Communications Consumer Action Network.
A spokesman for Vodafone said yesterday the company had ordered an immediate investigation and review of security procedures.
''Customer information is accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password,'' he said.
''Any unauthorised access to the portal will be taken very seriously, and would constitute a breach of employment or dealer agreement and possibly a criminal offence.
''We will be conducting a thorough investigation of the matter with our internal security experts and will refer the matter to the Australian Federal Police if appropriate.''
He said all passwords would be reset, and training and other procedures would be reviewed.
The revelations come as Vodafone is facing potential lawsuits and widespread customer dissatisfaction with network access.
More than 9000 customers have joined a class action and the company has set up a number of taskforces to try to fix the problems.
In this new saga for Vodafone, dealers have revealed that they are frequently asked to do ''favours'' and to pass on their login details.
Because the customer database is not an intranet (internal company system) and instead on the internet, users with a password can log in to the portal from anywhere, then access any customer's information.
Vodafone retailers have said each store has a user name and password for the system. That access is shared by staff and every three months it is changed. Other mobile dealers who sell Vodafone products also get full access to the database.
Anyone with full access can look up a customer's bills and make changes to accounts. Limited access allows searching by name, which takes much longer and is more involved but can be just as effective when done correctly. ''It's scary stuff in the wrong hands,'' one dealer told The Sun-Herald.
Australian Privacy Commissioner Timothy Pilgrim said all organisations should take appropriate steps to secure the personal information of their customers or they risked breaching the Privacy Act.
''If an individual believes their privacy has been interfered with they should first contact the organisation responsible and if they are not satisfied with their response they can make a complaint to our office,'' Mr Pilgrim said.
He has backed the federal government's intention to give his office extra powers to impose penalties should he find a breach of the act.
"Let me issue and control a nation's money and I care not who writes the laws. - Mayer Rothschild
"Civil disobedience is not our problem. Our problem is civil obedience! People are obedient in the face of poverty, starvation, stupidity, war, and cruelty. Our problem is that grand thieves are running the country. That's our problem!" - Howard Zinn
"If there is no struggle there is no progress. Power concedes nothing without a demand. It never did and never will" - Frederick Douglass
"Civil disobedience is not our problem. Our problem is civil obedience! People are obedient in the face of poverty, starvation, stupidity, war, and cruelty. Our problem is that grand thieves are running the country. That's our problem!" - Howard Zinn
"If there is no struggle there is no progress. Power concedes nothing without a demand. It never did and never will" - Frederick Douglass