An investigation by the Sun Herald, the Sydney Morning Herald’s Sunday paper, has revealed that personal details of Vodafone customers, including names, addresses, driver licence numbers and credit card details, have been made available on the internet.
The internal customer database is to be used by Vodafone stores; however is accessible via the Internet rather than a private network or Intranet. As well, while each store has a different username and password to access the database, login details have been passed on to external sources.
In order words, I can simply go straight to an address where the records are stored, and if I know the password, I would be able to access all your information from my house, despite not on a computer or IP address that should be authorised to do so.
The investigative journalist was able to access all of her personal details in a number of seconds after logging in.
“I was surprised at how quickly and easily the customer database could be opened from anywhere by someone unconnected to Vodafone. I could see my full name, address, driver’s licence number, date of birth, the pin number to access and change details on my Vodafone account,” she recounted in her article.
“My entire call list – everyone I had rung or texted and the time I spent on the phone – was visible.”
Vodafone Hutchison Australia (VHA) has denied that the customer details were publicly available and were protected via a secure web portal.
“Customer information is stored on Vodafone’s internal systems and accessed via a secure web portal, accessible to authorised employees and dealers via a secure login and password,” Cormac Hodgkinson, Director of Customer Service and Experience for VHA, wrote in a blog post.
The telco has confirmed that all passwords have been reset and a review will be underway to protect further details.
However – if it is proven true – this is another damaging story to the Vodafone brand for VHA. The company previously had to backflip on problems on its network, previously claiming it was the phones before writing an apology to its customers and saying that it will improve its network in 2011 with new or upgraded base stations. The network problems have already sparked a class action lawsuit against the telco, and has already gotten 9,000 interested customers.
The Vodafail website has also been updated in order to reflect the investigation.
“The implications of this security breach are deeply concerning to all Vodafone customers and represents the latest and most widespread problem affecting Vodafone,” the site’s founder Adam Brimo wrote.
“Vodafail.com believe the security breach warrants a serious, comprehensive and prompt investigation by the Privacy Commissioner and the Australian Communication and Media Authority.”
The site has also provided options on how and who to complain in regards to the security breach.
Image on top by: chispita_666/Flickr