Sophos Cloud Optix
Australian media giant Fairfax went public over the weekend with dramatic claims that customer data from mobile phone company Vodafone Australia is routinely falling into the wrong hands, thanks to lax database security.
According to Fairfax, Vodafone’s customer database is accessible to all its dealers over the internet, with the result that any dealer can look up extensive amounts of personally identifiable information (PII), together with call and SMS history, for any customer.
The Sydney Morning Herald says that unscrupulous password-holders have been offering what amounts to “pay-per-view” access to customer data to third parties.
Individuals, claims the Herald, are buying information to keep track of their spouses, whilst “criminal groups [are] paying for the private information of some Vodafone customers to stand over them”. (Standover is the chillingly descriptive Australian vernacular for intimidation and extortion.)
This story is a disappointing echo of the so-called WikiLeaks “Cablegate” drama. In this case, it is claimed that a single person, with the lowly rank of PFC (Lance Corporal), was able to access, and to copy unencrypted, three decades’ worth of secret US State Department diplomatic cables.
Organisational data shouldn’t be accessible in an all-or-nothing fashion like this. It isn’t fair to the organisation, and it definitely isn’t fair to its customers.
Learn more about what you can do to avoid a “Cablegate” moment in your business in this ZDNet Patch Monday interview with Sydney’s popular “opinionated and irreverent writer, broadcaster and consultant”, Stilgherrian:
If you haven’t yet started thinking about how to divide-and-conquer your corporate data – and how to divide-and-conquer the adminstration of that data – then why not make it a 2011 New Year’s Resolution to do so?
Im beyond disgusted!! i received a txt this morning saying, Vodafone Breach!! WTF!!!! Ive been such an advocate for years….Im signing out officially, my contract ends in July!!! How can a successful business not do the ONE thing that is a PRIORITY, protect customers….not happy
So, Vodafone are now saying it is a ‘one off’ and that no one else can access their systems…So why is it a simple search on google gains you access to the vodafone front door? https://203.20.35.230/content/images/RetailEscala…
As posted on Whirlpool here: http://forums.whirlpool.net.au/forum-replies.cfm?…
Sure it may not be access to everything, but it is the front door, and only a step away from the rest of the information :/
Is this vodaphone Australia only? How about the uk branch? Are they affected?
Don't know. If you're a Vodafone UK customer, why not ask them 🙂
By the way, my intention here is not to heap opprobrium on Vodafone – let's wait and see what emerges over the next week or so before we decide exactly how good or bad this whole situation is – but to remind sysadmins and CEOs that…
…there for at least some of them, there is a reminder in all of this along the lines of "there, but for the grace of God, go I."
I have a sinking feeling that many organisations have "embraced" Web 2.0 by taking internal database systems which are "protected" merely by limiting the number of people who can access them (rather than by reliably regulating the depth and breadth of what they can access) and extending the business value of those databases by relaxing the limits on how many people can access them, and from where.
Problem with that is that the original "security" wasn't right in the first place. You can get away with security through obscurity only as long as the obscurity is not merely obscure but opaque. That's not very long on today's internet – just ask Mr Assange 🙂
Anyone want to buy a Vodafone store.. Mine’s now for sale… 20c is all I will get for it now… Thanks Vodafone you’ve destroyed my life!