Privacy Commissioner: Vodafone Lacked Security Measures

Bob Styran, IT audit expert
February 16, 2011 /

SYDNEY, Australia – Following its dismissal of the data privacy breach accusations against Vodafone last month, the Australian Privacy Commissioner has found loopholes in the company’s security systems in protecting the customers’ personal data.

As in similar cases of breaching personal information elsewhere in the world, like the compromised online dating site PlentyOfFish.com where at least 30 million internet users had their data exposed to hackers, the hacking of online shopping firm Lush and data breach instances in another online buying site WiCount in South Africa, the case of Vodafone is nothing new.

The Australian Privacy Commissioner launched an investigation last month over the alleged unauthorized access into the personal data of the four million Vodafone customers. The Age newspaper has quoted Vodafone chief executive Nigel Dews as saying what happened was “that somebody shared password.”

Vodafone all along the investigation has had to reset their passwords every 24 hours until the Privacy Commissioner completed its probe into what the company described as “a one-off breach.”

The data allegedly included names, addresses, driver’s licenses, and credit card numbers of Vodafone customers who registered in its website. Dealers are supposed to log-in to the website using their IDs and passwords, but some other sensitive information has been leaked to unauthorized individuals, reports claimed.

Commissioner Timothy Pilgrim’s own investigation found no evidence pointing to log-in details being made public through Vodafone’s website, though it further learned that a few of Vodafone’s staff have penetrated the privacy of the customers’ data.

Pilgrim said there was no evidence to substantiate claims that the customers’ data were leaked to third parties.

However, Pilgrim revealed today that Vodafone has breached the Privacy Act for not having acted promptly to protect the data of its customers. He said the company “did not have the appropriate level of security measures in place.”

Pilgrim warned the other companies in the field to cautiously monitor their security measures to avoid being penalized for data privacy violation.

 

Share your opinion