Vodafone Australia is facing even greater pressure from customers and government regulators after it was disclosed this weekend that personal details of as many as 4 million of its customers have been easily accessible to hackers. According to the Sydney Morning-Herald, the information that could be easily accessed includes customer names, home addresses, driver license numbers, credit card numbers, numbers dialed or texted as well as from where and when they were dialed or texted.
It has been alleged that pilfered information has already been used for spying on spouses and for blackmail purposes.
The information is a bit sketchy as I write this but apparently Vodafone customer information is accessible via a web portal used by Vodafone's mobile phone dealers. The passwords used by the dealers or by someone inside Vodafone supposedly have been widely passed around.
Vodafone disputes that there is a major customer information security breach, but also says that it has reset the password(s) to its web portal. Vodafone's CEO Nigel Dew has said that the reported incident was a "one-off breach," although it looks like from the reports coming out of Australia as a bit more than that.
The Sydney Morning Herald reports that Vodafone has been flooded with calls by angry customers worried about id theft.
As I mentioned last week, the law firm Piper Alderman was "registering potential clients" for a class action lawsuit against Vodafone for "calls dropping out, reception issues, poor data performance." At the end of last week, more than 12,500 customers had registered interest (up from 9,000 about a week before) in pursuing such a course of action. The law firm says now it may extend the lawsuit to include security breach issues as well.
The Office of the Privacy Commissioner is investigating the breach. What financial liability Vodafone faces for the breach is unclear, as there are contradictory reports about what the Privacy Commission can or cannot do. One report yesterday indicated that the Commissioner theoretically can direct Vodafone to compensate those individuals whose records have been exposed. If Vodafone cannot identify said individuals (say because it doesn't keep a detailed log of who logged into its customer accounts and specifically which accounts were accessed), the company could be facing calls for compensation to all 4 million of its customers.
However, another report today says the Commissioner's hands are tied, and Vodafone will not be penalized at all.
It will be interesting to see if this issue also engulfs Telstra, the largest telecommunication company in Australia. According to the Sydney Morning-Herald:
"[Telstra] is believed to use the same customer management system as Vodafone."
Stay tuned.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
