The full report from Mr Pilgrim is available here or here as a direct PDF link.
Although media reports suggested that 'billing and call records for up to four million Vodafone customers were available on a publically accessible website', Mr Pilgrim stated that 'I did not find any evidence that substantiated the claim that Vodafone customers' personal information was available on a publically accessible website.
'However, in my view, Vodafone did not have appropriate security measures in place to protect customer's personal information at the time. Consequently Vodafone was in breach of their obligations under the Privacy Act,' continued Mr Pilgrim.
Mr Pilgrim was also said he was 'particularly concerned Vodafone's use of shared logins and passwords for staff and the broad range of detailed personal information available to them."
Naturally, as is often the case after such investigations, the investigated party is agreeing to take remedial actions - in this case Vodafone will 'review its IT security', while issuing individual logins and passwords to retail store and dealership employees - something that should obviously be the minimum standard for all companies, but as demonstrated by Vodafone isn't always followed.
I mean - how many times are you, reading this now, using the same password for more than one site? It happens, even though we all know it shouldn't.
Vodafone is also due to report back to Mr Pilgrim 'on the progress of the review and implementation of increased security measures', with Mr Pilgrim sensibly noting this case should 'serve as a reminder to all businesses' using customer management systems to ensure that they have robust privacy protections built in.
While some 'Vodafail' customers are probably still off the hook, metaphorically speaking when it comes to getting reliable voice and data access, Vodafone is off the hook when it comes to any particular 'sanctions' over its security lapses, as the Commissioner's media release notes that the Privacy Act 'does not currently allow for sanctions to be imposed following an investigation initiated by the Privacy Commissioner', although efforts to 'strengthen the enforcement regime' are in place through recommendations 'made by the Australian Law Reform Commission'.