While it was found not to have customer’s personal information publically available on a website, Vodafone has been found to have breached the Privacy Act by the Privacy Commissioner, saying that it did not have appropriate measures to protect customer data.
The investigation was in response to a Sydney Morning Herald investigation that revealed the security flaws in Vodafone’s customer database system – used by many of its stores. The investigation claimed that the database was accessible via a public website and was used for other purposes such as passing details to criminal groups.
“In the course of my investigation I did not find any evidence that substantiated the claim that Vodafone customers’ personal information was available on a publically accessible website,” Commissioner Timothy Pilgrim said in a statement.
“However, in my view, Vodafone did not have appropriate security measures in place to protect customer’s personal information at the time. Consequently Vodafone was in breach of their obligations under the Privacy Act.”
“I was particularly concerned by Vodafone’s use of shared logins and passwords for staff and the broad range of detailed personal information available to them.”
Vodafone will now issue individual login IDs and passwords, as well review its IT security. However, due to the Privacy Act, the commissioner has not given any sanctions following the investigation.