The Australian Privacy Commissioner who recently initiated an investigation into claims that Vodafone billing and call records for up to four million customers were openly available online has concluded that Vodafone did not have adequate levels of security in place to protect personal information, however there was no breach as claimed by Fairfax Media.
Vodafone claims that as a result of the exposure they have disabled a Siebel database system which has been blamed for the failure.
Vodafone has admitted that a login of a VHA owned store was used to show an individual what information the Siebel system held about them.
In doing so, it was demonstrated how a user with a current login ID and password gained access to the customer information stored in Siebel.
Following an internal investigation Vodafone said that no login IDs, passwords or customer data were ever available on the internet or on the Vodafone website.
The Privacy Commissioner said that they could find no evidence that this information was available on the internet or Vodafone’s website despite claims by Fairfax Media that this was the case.
However, the investigation did show that a small number of staff may have breached Vodafone’s internal policies relating to the appropriate use of login IDs and passwords.
At the time of the incident, Vodafone advised it had a range of data security measures in place to protect the personal information held in their Siebel system; including access controls, network protection, system monitoring and policies and procedures about customer confidentiality and privacy.
Following the release of the Australian Privacy Commissioner’s report, Vodafone issued a statement confirming that customers’ personal information was not publicly available on the internet.
Vodafone said that immediate action that was taken to strengthen data security. Changes include improving login identification and authentication processes, more frequent password resets,limiting approved access points for stores and dealers and even more stringent monitoring and detectiontechnologies. A number of other additional security measures are also being implemented.
“There were areas that needed improvement, which this incident highlighted. We responded quickly, took action with those employees involved who had shared passwords, and brought forward the implementation of a number of new security measures to better protect all customer information,” said Nigel Dews, CEO of Vodafone Hutchison Australia..