Vodafone breached Privacy Act, Commissioner reports

Commissioner Timothy Pilgrim today reported on allegations that unauthorised parties had obtained log-in details to Vodafone's database of customer names, personal details and call records.

Following an internal investigation by Vodafone, Pilgrim could not substantiate media reports that its data had been uploaded onto a publicly accessible website.

However, he found that the telco “had not taken reasonable steps” to protect customers’ privacy, with Vodafone admitting that “a small number of staff may have breached Vodafone’s internal policies relating to the appropriate use of IDs and passwords”.

Vodafone stored customer data in a Siebel system, which was accessible by “authorised users” through a secure web portal via login IDs and passwords.

Some internal Vodafone staff accessed the system via individual login IDs. However, employees of Vodafone’s retail stores and dealerships shared login details with others in the store.

The Privacy Commissioner noted that the use of dealerships carried additional data security challenges, including network security and the remote authentication of users.

Although the system recorded when each account was accessed, Pilgrim said shared logins reduced the effectiveness of audit trails, since actions could not easily be traced back to individual users.

Vodafone’s tiered access system was also deemed insufficient, since all authorised users could access details – if not exact copies – of identity documents including passports.

The telco was thus found guilty of breaching National Privacy Principle 4.1, which charged companies with protecting personal information from “misuse and loss and from unauthorised access, modification or disclosure”.

In a six-page report (pdf), released this morning, Pilgrim acknowledged that Vodafone had “acted immediately” after becoming aware of the alleged breach.

The company quickly moved to disable any Siebel account that had not been used in the previous six weeks, and required all retail stores and dealers to reset their passwords on a daily basis until individual login IDs were implemented on 5 February.

It also referred the matter to the Australian Federal Police, and had reportedly sacked an undisclosed number of staff in relation to the incident.

In a statement this morning, Vodafone said the company had improved login identification and authentication processes, limited approved access points for stores and dealers, and tightened monitoring and detection techniques.

It was also part-way through implementing “a number of other additional security measures”, having agreed to reassess its access tiers and make other undisclosed changes to its security systems.

Pilgrim welcomed Vodafone’s undertaking to improve its data security measures, and requested that Vodafone report back to him on its progress and the outcome of an internal security review.