Vodafone Australia in massive data leakage controversy

Filed Under: Data loss, Law & order, Mobile, Podcast, Privacy

Australian media giant Fairfax went public over the weekend with dramatic claims that customer data from mobile phone company Vodafone Australia is routinely falling into the wrong hands, thanks to lax database security.

According to Fairfax, Vodafone's customer database is accessible to all its dealers over the internet, with the result that any dealer can look up extensive amounts of personally identifiable information (PII), together with call and SMS history, for any customer.

The Sydney Morning Herald says that unscrupulous password-holders have been offering what amounts to "pay-per-view" access to customer data to third parties.

Individuals, claims the Herald, are buying information to keep track of their spouses, whilst "criminal groups [are] paying for the private information of some Vodafone customers to stand over them". (Standover is the chillingly descriptive Australian vernacular for intimidation and extortion.)

This story is a disappointing echo of the so-called WikiLeaks "Cablegate" drama. In this case, it is claimed that a single person, with the lowly rank of PFC (Lance Corporal), was able to access, and to copy unencrypted, three decades' worth of secret US State Department diplomatic cables.

Organisational data shouldn't be accessible in an all-or-nothing fashion like this. It isn't fair to the organisation, and it definitely isn't fair to its customers.

Learn more about what you can do to avoid a "Cablegate" moment in your business in this ZDNet Patch Monday interview with Sydney's popular "opinionated and irreverent writer, broadcaster and consultant", Stilgherrian:

If you haven't yet started thinking about how to divide-and-conquer your corporate data - and how to divide-and-conquer the adminstration of that data - then why not make it a 2011 New Year's Resolution to do so?

, , , , , ,

You might like

5 Responses to Vodafone Australia in massive data leakage controversy

  1. Dromana · 1329 days ago

    Im beyond disgusted!! i received a txt this morning saying, Vodafone Breach!! WTF!!!! Ive been such an advocate for years....Im signing out officially, my contract ends in July!!! How can a successful business not do the ONE thing that is a PRIORITY, protect customers....not happy

  2. Jackie Chan · 1329 days ago

    So, Vodafone are now saying it is a ‘one off’ and that no one else can access their systems…So why is it a simple search on google gains you access to the vodafone front door? https://203.20.35.230/content/images/RetailEscala...
    As posted on Whirlpool here: http://forums.whirlpool.net.au/forum-replies.cfm?...
    Sure it may not be access to everything, but it is the front door, and only a step away from the rest of the information :/

  3. Thu Win · 1329 days ago

    Is this vodaphone Australia only? How about the uk branch? Are they affected?

    • Paul Ducklin · 1329 days ago

      Don't know. If you're a Vodafone UK customer, why not ask them :-)

      By the way, my intention here is not to heap opprobrium on Vodafone - let's wait and see what emerges over the next week or so before we decide exactly how good or bad this whole situation is - but to remind sysadmins and CEOs that...

      ...there for at least some of them, there is a reminder in all of this along the lines of "there, but for the grace of God, go I."

      I have a sinking feeling that many organisations have "embraced" Web 2.0 by taking internal database systems which are "protected" merely by limiting the number of people who can access them (rather than by reliably regulating the depth and breadth of what they can access) and extending the business value of those databases by relaxing the limits on how many people can access them, and from where.

      Problem with that is that the original "security" wasn't right in the first place. You can get away with security through obscurity only as long as the obscurity is not merely obscure but opaque. That's not very long on today's internet - just ask Mr Assange :-)

  4. Shellshocked · 1328 days ago

    Anyone want to buy a Vodafone store.. Mine's now for sale... 20c is all I will get for it now... Thanks Vodafone you've destroyed my life!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog