The Privacy Commissioner launched an investigation and in the report of that investigation concluded that no customer details had been posted on the web and that what the SMH had reported was someone using a password, which quite possibly they held legitimately, to access the Vodafone in-house system remotely over the Internet.
Vodafone even got off the hook on one possible breach of privacy legislation - "organisations must only use or disclose personal information for the primary purpose for which it was collected" - on the grounds that "the login of a VHA owned store was used to show an individual what information the Siebel system held about them as a way of demonstrating the type of information the system holds about its customers. Information gathered during the Privacy Commissioner's investigation indicates that this demonstration was done with the consent of the individual." In other words the only record the SMH reporter saw was her own, so there was no breach of anyone's privacy.
But what about that claim: "[The SMH] is aware of criminal groups paying for the private information of some Vodafone customers to stand over them. Other people have apparently obtained logins to check their spouses' communications."
Vodafone did admit its investigation had revealed that "a small number of staff may have breached Vodafone's internal policies relating to the appropriate use of login IDs and passwords." Sufficient at least to create the possibility that the standovers and snoopings alleged by the SMH had taken place, but nothing on that in the Privacy Commissioner's report.
Where the Commissioner did come down hard on Vodafone (well has hard as he could, the Privacy Act does not currently allow for sanctions to be imposed following an investigation initiated by the Privacy Commissioner) was over its security policies as a whole.
Amazingly Vodafone does not issue each staff member in retail stores with their own unique login to the customer database - it employs one password per store in some cases - so would have no means of fingering any single individual even if it were able to link a particular login to illegal use of customer data.
Furthermore Vodafone was found not to have sufficiently restricted access to customer information on a "need to know' basis thus, as the PC report said.
"Vodafone's business functions require it to collect identity information from customers to comply with obligations to complete 100 point ID verification checks. This information is stored on Siebel and is available to all authorised users'¦The wide availability of full identity information via Siebel caused an inherent data security risk in terms of how personal information was protected by Vodafone."
I have put in a question to the PC on whether it investigated the allegations in the SMH article but have received no response. Clearly the SMH article was a bit of a beat-up - there was no Vodafone customer information on the Internet - but we don't yet know how much of a beat up.
Even if the standover claims prove false, we should be very grateful to the SMH and to whoever accessed the Vodafone customer database for the benefit of the SMH's reporter.
Because the article exposed weaknesses in Vodafone's information security access policies so glaring that Blind Freddy should have been able to see them, and which hopefully have now been fixed.
As VHA CEO, Nigel Dews, said in his company's response to the investigation: "There were areas that needed improvement, which this incident highlighted. We responded quickly, took action with those employees involved who had shared passwords, and brought forward the implementation of a number of new security measures to better protect all customer information."
Good. The door has been shut. But we still don't know whether the horse had already bolted. If and when the PC responds, I will let you know.