JUser: :_load: Unable to load user with ID: 63
Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Wednesday, 16 February 2011 15:02

Vodafone found to have breached the Privacy Act


Vodafone/VHA seems to have come off lightly from the Privacy Commissioner's investigation into the alleged leak of confidential customer information, but the Commissioner has not answered all the questions.

Back in January the Sydney Morning Herald broke the story, and created a huge kerfuffle with a report claiming that "The personal details of millions of Vodafone customers, including their names, home addresses, driver's licence numbers and credit card details, have been publicly available on the Internet in what is being described as an 'unbelievable' lapse in security by the mobile phone giant."

The Privacy Commissioner launched an investigation and in the report of that investigation concluded that no customer details had been posted on the web and that what the SMH had reported was someone using a password, which quite possibly they held legitimately, to access the Vodafone in-house system remotely over the Internet.

Vodafone even got off the hook on one possible breach of privacy legislation - "organisations must only use or disclose personal information for the primary purpose for which it was collected" - on the grounds that "the login of a VHA owned store was used to show an individual what information the Siebel system held about them as a way of demonstrating the type of information the system holds about its customers. Information gathered during the Privacy Commissioner's investigation indicates that this demonstration was done with the consent of the individual." In other words the only record the SMH reporter saw was her own, so there was no breach of anyone's privacy.

But what about that claim: "[The SMH] is aware of criminal groups paying for the private information of some Vodafone customers to stand over them. Other people have apparently obtained logins to check their spouses' communications."

Vodafone did admit its investigation had revealed that "a small number of staff may have breached Vodafone's internal policies relating to the appropriate use of login IDs and passwords." Sufficient at least to create the possibility that the standovers and snoopings alleged by the SMH had taken place, but nothing on that in the Privacy Commissioner's report.

Where the Commissioner did come down hard on Vodafone (well has hard as he could, the Privacy Act does not currently allow for sanctions to be imposed following an investigation initiated by the Privacy Commissioner) was over its security policies as a whole.


You can read more stories on telecommunications in our newsletter ExchangeDaily, click here to sign up for a free trial...

The Commissioner found that Vodafone did not "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure."

Amazingly Vodafone does not issue each staff member in retail stores with their own unique login to the customer database - it employs one password per store in some cases - so would have no means of fingering any single individual even if it were able to link a particular login to illegal use of customer data.

Furthermore Vodafone was found not to have sufficiently restricted access to customer information on a "need to know' basis thus, as the PC report said.

"Vodafone's business functions require it to collect identity information from customers to comply with obligations to complete 100 point ID verification checks. This information is stored on Siebel and is available to all authorised users'¦The wide availability of full identity information via Siebel caused an inherent data security risk in terms of how personal information was protected by Vodafone."

I have put in a question to the PC on whether it investigated the allegations in the SMH article but have received no response. Clearly the SMH article was a bit of a beat-up - there was no Vodafone customer information on the Internet - but we don't yet know how much of a beat up.

Even if the standover claims prove false, we should be very grateful to the SMH and to whoever accessed the Vodafone customer database for the benefit of the SMH's reporter.

Because the article exposed weaknesses in Vodafone's information security access policies so glaring that Blind Freddy should have been able to see them, and which hopefully have now been fixed.

As VHA CEO, Nigel Dews, said in his company's response to the investigation: "There were areas that needed improvement, which this incident highlighted. We responded quickly, took action with those employees involved who had shared passwords, and brought forward the implementation of a number of new security measures to better protect all customer information."

Good. The door has been shut. But we still don't know whether the horse had already bolted. If and when the PC responds, I will let you know.

You can read more stories on telecommunications in our newsletter ExchangeDaily, click here to sign up for a free trial...



26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more




Recent Comments