VHA breached Privacy Act, says Commissioner


The Australian Privacy Commissioner today said although VHA (which owns the Vodafone brand) didn’t make customers information publicly available on the internet during its recent security scandal, it was nontheless in breach of its obligations under the Privacy Act.

In January 2011, VHA started an investigation over an alleged breach of its security, which had reportedly seen customers’ personal information – including phone calls details – made available to individuals who somehow had obtained password access to the telco’s internal database for its Vodafone brand.

A month later, the Australian Privacy Commissioner Timothy Pilgrim today released the findings of his investigation, stating he didn’t find evidence that Vodafone customers’ personal information was available on publicly accessible websites, but he discovered the company’s security measures were inappropriate.

“… in my view, Vodafone did not have appropriate security measures in place to protect customer’s personal information at the time,” he said. “I was particularly concerned by Vodafone’s use of shared logins and passwords for staff and the broad range of detailed personal information available to them”.

VHA relies on the Oracle-owned Siebel customer relationship management system, which holds identity information collected from customers to comply with the 100 point ID verification checks. The documents new customers can provide to achieve the 100 point are, for example, passports and driving licences, with the relative expiring dates. The Commissioner’s report stated identity theft could cause significant harm if a security breach occurred, saying that store login IDs rather than individual IDs enhanced the data security risk.

“While Vodafone had a range of security safeguards in place to protect personal information on its Siebel system at the time of the incident, the use of store logins and the wide availability of full identity information via Siebel caused an inherent data security risk,” it is stated in the report.

Pilgrim said that, as a result of the investigations, VHA would issue individual login IDs and passwords to all appropriate staff, including employees in retail stores. He concluded he was pleased Vodafone had acted promptly to review and improve its IT security.

This morning VHA issued an official comment on the Commissioner’s findings. In a press release, the company said it had strengthened its data security, with tighter login identification and authentication processes, more frequent password resets and less approved access points for stores and dealers.

Vodafone Hutchinson Australia CEO, Nigel Dews, said the incident highlighted there were areas that needed improvement and that the company acted quickly to solve the problem. “We responded quickly, took action with those employees involved who had shared passwords, and brought forward the implementation of a number of new security measures to better protect all customers’ information,” he said.

The current Privacy Act does not allow for sanctions to be imposed after an investigation initiated by the Privacy Commissioner. However, Pilgrim said this case should remind all businesses using customer management systems to make sure their customers’ information are safely stored.

“To comply with the Privacy Act and retain the trust and loyalty of their customers, I urge businesses to review their data security practices to prevent the likelihood of a privacy breach occurring which could have the potential to lead to identity theft or fraud,” Pilgrim said.

Image credit: Vodafone


  1. Ouch. Another blow for Vodafone. And just after all the good press about new handsets and tablets coming out, as well as the promise to deliever LTE…

  2. Nothing in there about the daft levels of information available over the web tho’. While they might want to store it somewhere, do they really need to show full details of the 100 pt check, or just that it has been satisfied.

    Surely this is obvious – if you make everything plus the kitchen sink available it’s only increasing the likelihood that it’s going to be misused somehow sometime somewhere. Figure out what’s really needed for stores to view, and only give them that…

    • It wasn’t available “over the web” — you needed a password to access it. It’s fairly standard these days to expose a number of internal systems to the public internet — as long as there is security around the login etc.

  3. Vodaphone have been flogged by a wet lettuce.

    Really a shame the privacy commissioner canot slap Vodaphone with a hefty fine and an order for a public apology to run on prime time TV during the AFL and NRL grand final.

    They may get a message they understand

  4. There can be no justification for all but of handfull of staff having an access level that allows Displaying of full identity details. The majority of staff show see ***’s instead of full drivers license numbers, credit card numbers etc. Just because you are allowed to input data doesn’t mean you need to be able to redisplay the data.

Comments are closed.