their names, home addresses, driver's licence numbers and credit card
details, have been publicly available on the internet in what is being
described as an ''unbelievable'' lapse in security by the mobile phone
giant.
The Sun-Herald is aware of criminal groups paying for the private
information of some Vodafone customers to stand over them.
Other people have apparently obtained logins to check their spouses'
communications.
Personal details, accessible from any computer because they are kept
on an internet site rather than on Vodafone's internal system, include
which numbers a person has dialled or texted, plus from where and
when.
The full extent of the privacy breach is unknown but The Sun-Herald
has learnt that possibly thousands of people have logins that can be
passed around and used by anyone to gain full access to the accounts
of about 4 million Vodafone customers.
Professor Michael Fraser, the head of the Australian Communications
Law Centre at the University of Technology, Sydney, said that it
appeared to be a major breach of the company's privacy obligations and
''unbelievably slack security''.
''The fact you can look up anybody as easily as that seems to be a
gross breach of privacy and resulting in an almost negligent exposure
to criminal activity,'' said Professor Fraser, who also heads the
Australian Communications Consumer Action Network.
A spokesman for Vodafone said yesterday the company had ordered an
immediate investigation and review of security procedures.
''Customer information is accessed through a secure web portal,
accessible to authorised employees and dealers via a secure login and
password,'' he said.
''Any unauthorised access to the portal will be taken very seriously,
and would constitute a breach of employment or dealer agreement and
possibly a criminal offence.
''We will be conducting a thorough investigation of the matter with
our internal security experts and will refer the matter to the
Australian Federal Police if appropriate.''
He said all passwords would be reset, and training and other
procedures would be reviewed.
The revelations come as Vodafone is facing potential lawsuits and
widespread customer dissatisfaction with network access.
More than 9000 customers have joined a class action and the company
has set up a number of taskforces to try to fix the problems.
In this new saga for Vodafone, dealers have revealed that they are
frequently asked to do ''favours'' and to pass on their login details.
Because the customer database is not an intranet (internal company
system) and instead on the internet, users with a password can log in
to the portal from anywhere, then access any customer's information.
Vodafone retailers have said each store has a user name and password
for the system. That access is shared by staff and every three months
it is changed. Other mobile dealers who sell Vodafone products also
get full access to the database.
Anyone with full access can look up a customer's bills and make
changes to accounts. Limited access allows searching by name, which
takes much longer and is more involved but can be just as effective
when done correctly. ''It's scary stuff in the wrong hands,'' one
dealer told The Sun-Herald.
Australian Privacy Commissioner Timothy Pilgrim said all organisations
should take appropriate steps to secure the personal information of
their customers or they risked breaching the Privacy Act.
''If an individual believes their privacy has been interfered with
they should first contact the organisation responsible and if they are
not satisfied with their response they can make a complaint to our
office,'' Mr Pilgrim said.
He has backed the federal government's intention to give his office
extra powers to impose penalties should he find a breach of the act.
http://www.brisbanetimes.com.au/
