Monday, January 10, 2011

Freedom of information - Vodafone style

Vodafone faces compensation payouts to as many as 4 million of its customers after confirming it is investigating a security breach that has put billing and call records on a publicly accessible website protected only by passwords that change monthly.

It also faces the prospect of privacy concerns being added to a lawsuit being prepared by on behalf of 12,500 customers over quality of service issues.

Justice Minister Brendan O’Connor yesterday raised the matter with the office of the Privacy Commissioner which will seek answers from Vodafone today.

Commissioner Timothy Pilgrim has power to launch a so-called "own motion" investigation on behalf of affected customers and direct that compensation be paid to each.

At issue will be whether Vodafone has logged attempts to access its data and knows which of its customers have been affected.

"It appears what has happened is that somebody shared a password"... Vodafone chief executive Nigel Dews told the Herald.

"It appears to be a one-off breach and we have got out internal investigators looking into it right now. We reset our passwords last night and we are resetting them every 24 hours until that investigation is complete."

Vodfaone merged with mobile provider '3' two years ago, but only Vodafone customers were affected by the breach.

The firm would lay criminal charges against anyone who had passed on passwords.

Mr Dews declined to say whether Vodafone kept logs of every access, saying he did not want to hand out information that could help hackers.

Telstra too said it would not disclose the nature of its security measures. It is believed to use the same customer management system as Vodafone although it may be configured differently.

A reporter for the Sun Herald had someone with a laptop and login code demonstrate how easy it was to call to call up her address, drivers licence number, date of birth and details of the time, location and destination of all of her phone calls and messages.

'I was surprised how easily the database could be opened'

Natalie O'Brien

SITTING in a western Sydney business with a laptop and someone who knew a login for Vodafone's customer database, I handed over my mobile number to be punched in - in seconds we could see all my personal details.

For some time I have been told information about telco customers could easily be accessed.

I have heard many stories of how undesirable elements could get the passwords to tap into anyone's phone account and gather confidential details as well as watch all their transactions including who they contact.

But I was surprised at how quickly and easily the customer database could be opened from anywhere by someone unconnected to Vodafone. I could see my full name, address, driver's licence number, date of birth, the pin number to access and change details on my Vodafone account.

My entire call list - everyone I had rung or texted and the time I spent on the phone - was visible.

University of NSW law professor Graham Greenleaf told the Herald if Vodafone did not keep such logs there would be no obvious limit on the number of its customers to whom it could be liable if its conduct was found to breach the Privacy Act.

"Where more than one person is affected they can declare it a representative complaint," he said.

"The Privacy Commissioner can order the payment of compensation. If the firm does not pay, he can take it to court."

Until now no Privacy Commissioner has used that power in the decade they have had jurisdiction over private companies.

"It sends a bad message - that compliance with the Act is optional," he said.

The Privacy Act requires private companies to take reasonable precautions to protect personal data.

"What is reasonable depends on the risks and the nature of the information, but common sense would tell you there is a real question if you are potentially exposing this sort of information to people who can access it not just from Vodafone offices but from remote sites."

Any Vodafone customer is entitled to ask when and to whom the firm has disclosed their information.

"That's just accessing your own record under Privacy Act," he said. The Act also allowed the equivalent of a private class action.

Piper Alderman lawyer Sasha Ivantsoff will this week mail 12,500 Vodafone customers a questionnaire and says he may extend a planned law suit if their responses detail privacy breaches.

"The main issues to date have been dropped calls, no service, voice mail not functioning and data not functioning. We haven't filed anything yet, so we can adjust our claim," he said.

Published in today's SMH and Age

Related Posts

. The Access Card is a complete mess, buried but still belching up toxic smoke

. How on earth did the Medicare card nearly morph into a universal national ID card?

. No-one should be forcibly reduced to a single identity