Mobile telco VHA this afternoon said it was investigating an alleged breach of its security which has reportedly seen customers’ personal information — including details of who they called and when — made available to some individuals who have gained password access to its internal customer database for its Vodafone brand.
The Sun-Herald reported this morning that each Vodafone store had a username and a password for access to the customer database — and that the login details may have been passed on to external sources.
A journalist for the Sun-Herald, “sitting in a western Sydney business” with a laptop and someone who knew the login, was able to access all of her personal details on the system — including her name, address, driver’s licence number, date of birth, PIN number and her entire call and SMS list.
A VHA spokesperson, however, denied the alleged breach meant customer details were “publicly available on the internet”, as the newspaper had reported.
“Customer information is stored on Vodafone’s internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password,” they said. “Any unauthorised access to the portal will be taken very seriously, and would constitute a breach of employment or dealer agreement and possibly a criminal offence.”
The telco said it would be conducting a “thorough investigation of the matter” itself and would refer the issue to the Australian Federal Police if appropriate. In addition, the telco stipulated that it took customer information and data security extremely seriously and was concerned to hear about the alleged breach.
“All passwords have been reset and a review is being undertaken of the training and process as an additional precaution,” the telco said.
VHA’s director of customer service and experience, Cormac Hodgkinson, also posted a message on the company’s Vodafone blog, reassuring customers that their information wasn’t publicly available on the internet — and that it was actually available only via secure web portal.
The alleged security problems — if true — are just the latest in a string of issues at VHA in relation to its Vodafone brand. Over the past few months the company has faced a tsunami of complaints from users about drop-outs and patchy network access, that has resulted in one local law firm preparing to sue in the telco, in a class action attack which has already attracted some 9,000 interested customers.
The focus for the customer rage over the period has been Vodafail, a fledgling website set up by Sydneysider Adam Brimo to highlight his personal problems with Vodafone. Today, someone — presumably Brimo — posted an update on the site describing the alleged security problem as being “deeply concerning”.
“We believe it warrants a serious and prompt investigation by the Australian Communication and Media Authority,” wrote Vodafail.
“If you are concerned about the privacy of your personal information, we have set up a page detailing who you should contact to file a complaint. We aim to provide further updates on this situation as it develops. Vodafone has just emailed us stating that they have briefed all their staff on the situation and will be releasing more information.”
Image credit: Jakub Krechowicz, royalty free
I left this as a reply to Cormac on the Vodafone Blog, but as they don’t seem to be approving it past moderation, I will repost it here!
So first you say it is not publicly available on the internet, but then you say it is available via a web portal.
FFS Cormac, get it together. The information was accessed via the Internet through the web portal by a non Vodafone Employee.
Stop trying for damage control, and fix your security.
Concerned,
Soon To Be Ex Customer.
Realistically, with the right VPN access, most corporate systems these days can be accessed via the internet — everything is on IP networks, after all. But I think what VHA is referring to here is that there is not a database floating around online in plain text — you need a password to access their systems.
Having said that, I’m very surprised there wasn’t some form of two-factor authentication in place … even a token code sent to the accessing employee’s mobile phone. Irony!
Not a database floating around? How do we know that someone hasn’t scraped the entire database?
Doesn’t sound like they were even aware until today that the login/passwords had leaked to the general public.
I’d hazard a guess that attempting to scrape the *whole* database would have set off some warning signals ;)
I doubt that Vodaphone’s IT “department” would have even noticed before a half decent hacker took all of their customer details, scraping a database driven website is a trivial problem.
It’s hard to know whether this whole story is a beat up or a gaping hole, but it seems that the possibility existed for someone with half a brain to effortlessly take all their customer details (possibly sans complete credit card numbers).
“If you are concerned about the privacy of your personal information, we have setup a page detailing who you should contact to file a complaint.”
It would be nice for you to link to that page.
Done.
How is “a secure web portal with a secure password” acceptable risk management for this level of personal information? Two factor authentication such as a token or smartcard isn’t science fiction anymore.
That was my first thought when I heard about this — that two factor authentication would have solved all of the issues.
The problem is VHA management has been cutting back support and IT to the bare minimum and looking for any way not to spend money. Their helpdesk is a complete joke (disinterested Indians in a Mumbai call centre) and their IT has all been outsourced to the lowest cost option. End result = the current Vodafone mess.
So, Vodafone are now saying it is a ‘one off’ and that no one else can access their systems…So why is it a simple search on google gains you access to the vodafone front door?
https://203.20.35.230/content/images/RetailEscalations.html
As posted on Whirlpool here: http://forums.whirlpool.net.au/forum-replies.cfm?t=1614444&p=14#r271
Sure it may not be access to everything, but it is the front door, and only a step away from the rest of the information :/
Hey. It has to be accessible from anywhere so that Ma and Pa vodafone shop can sign you up. They’re not all corporate.
However Vodafone knows who they are and their login so a security breach can be easily narrowed down shortly.
Sitting with a dishonest staffy with no respect for the privacy act and having them login is just evil and if the journo had any integrity would hang them out to dry for the bad seed they are. The serious breach of privacy was done by an individual. They should be first up against the wall and prosecuted as far as it can possibly be taken.
Biting the hand that feeds you.
This really is slow news day sensationalism.
Wake up people. Your details stopped being private the day you turned on your first computer.
From what I’ve read so far, it does sound disappointing that they provide dealers with access to private customer information through a simple shared username and password. Even taking into account the need to keep things simple for the smaller dealers, there are different approaches and measures they could have utilised to better mitigate these kinds of risks.
However, the initial reporting of the issue in the media was also disappointing – customer data wasn’t being published on the Internet, but through an extranet.
Renai – do you know if Vodafone has replaced CTO Andy Reeves since it was announced he was leaving in September – or is he still there?
A company without a CTO is probably part of the problem when it comes to all these system / network woes?
Its a massive media beat up wrapped around a decision that was probably made 7 years ago when Siebel was implemented that has come back to bite them in the ass. Cost cutting by VHA (As the operating company) have little to do with this. Dodgy dealers do and its a problem that is endemic to the dealer culture at Vodafone.
Could a ‘hacker’ scrape the entire customer DB? No.
Has Andy Reeves been replaced? Yes, Michael Young is now CTO. Michael Young was head of Customer Service, and was replaced by Cormac.
While it certainly seems that Vodafone could beef up security a little, no amount of security will overcome an employee or franchisee who hands out their credentials – this was a social hack, not a technological one. Make the web portal security as sophisticated as you like, but if somebody hands out passwords etc., then someone else will have unauthorised access.
As for the beat-up aspect … the media uproar suggested that anyone could get into the database …. reality was that only someone with the correct credentials could get access to that data; the problem was with who had the credentials, not necessarily the credentials themselves.
Would tend to suggest this is a case of a retail worker who has given someone access via their stores login.
A security breach such as this won’t be hard to track down given that Vodafone will no doubt be collecting log files of every single login and IP address accessing the system. Retail stores will have been advised of the issue and passwords would have been reset as a standard response. Retail store owners/operators/managers would have been advised to perform an audit on their own systems including who has access and when it was last used.
Obviously a login from a notebook using a Telstra connection at 2am will stick out like… well …. dogs balls. Then it’s juut a case of tracking it back.
Vodafone will no doubt perform their own audit and I would almost guarantee contact the police in regards to unauthorised access by criminal means i.e. theft of security credentials and/or being in possession of stolen property i.e. security credentials. The police knocking on peoples doors will most certainly have an immediate effect of working out who leaked the login details.
Many crying about their details being on IP based systems need to realise that nearly everything is accessible via the web from Internet Banking to their Last Known Address to the names of their children. It just a case on knowing how to gain access and having the appropriate security credentials i.e. a simple username/pasword.
Shared logins and security don’t go well together, esp when there are no physical barriers invonved.
Give each staff member in the shops/dealers their own login and make them responsible for the security of the password and any transactions or enquiries carried out with it. Not that hard.
My credit card was accessed last night from abroad and about 250 used to pay for travel The bank rang me after the event and I will get it back sometime I have 2 Vodafone accounts linked to my card Never had a problem before
Comments are closed.