The Australian privacy commissioner today said that although Vodafone didn't make customers information publicly available on the internet during its recent security scandal, it was nonetheless in breach of its obligations under the Privacy Act.
In January 2011, the telco started an investigation over an alleged breach of its security, which had reportedly seen customers' personal information, including phone call details, made available to individuals who had obtained password access to the telco's internal database for its Vodafone brand. The privacy commissioner also initiated his own investigation into the privacy breach.
Australian Privacy Commissioner Timothy Pilgrim today released the findings of his investigation, stating that he didn't find evidence that Vodafone customers' personal information was available on publicly accessible websites, but that he found the company's security measures to be inappropriate.
"...in my view, Vodafone did not have appropriate security measures in place to protect customers' personal information at the time," he said. "I was particularly concerned by Vodafone's use of shared log-ins and passwords for staff and the broad range of detailed personal information available to them."
VHA relies on the Oracle-owned Siebel customer relationship management system, which holds identity information collected from customers to comply with the 100-point ID verification checks. The documents new customers can provide to achieve the 100 points are, for example, passports and driving licences. The commissioner's report stated that if a security breach occurred, any consequent identity theft could cause significant harm. That store log-in IDs were used rather than individual IDs enhanced the data security risk, according to the report.
"While Vodafone had a range of security safeguards in place to protect personal information on its Siebel system at the time of the incident, the use of store log-ins and the wide availability of full identity information via Siebel caused an inherent data security risk," it said.
Pilgrim said that, as a result of the investigations, Vodafone Hutchison Australia (the joint venture between Vodafone and Hutchison) would issue individual log-in IDs and passwords to all appropriate staff, including employees in retail stores. He concluded he was pleased Vodafone had acted promptly to review and improve its IT security.
This morning VHA issued an official comment on the commissioner's findings. In a press release, the company said it had strengthened its data security, with tighter log-in identification and authentication processes, more frequent password resets and less approved access points for stores and dealers.
Vodafone Hutchinson Australia CEO, Nigel Dews, said that the incident had highlighted that there were areas needing improvement and that the company acted quickly to solve the problem.
"We responded quickly, took action with those employees involved who had shared passwords, and brought forward the implementation of a number of new security measures to better protect all customers' information," he said.
The current Privacy Act does not allow for sanctions to be imposed after an investigation initiated by the privacy commissioner. However, Pilgrim said this case should remind all businesses using customer management systems to make sure their customers' information are safely stored.
"To comply with the Privacy Act and retain the trust and loyalty of their customers, I urge businesses to review their data security practices to prevent the likelihood of a privacy breach occurring which could have the potential to lead to identity theft or fraud," Pilgrim said.