Privacy Commissioner investigates alleged Vodafone breach

The Australian Privacy Commissioner has announced an investigation into allegations that Vodafone put customers' personal details, billing and call records at risk.

Commissioner Timothy Pilgrim initiated the investigation today, following reports that unauthorised parties had obtained log-in details to Vodafone's customer database.

Vodafone allowed its partners to access its Siebel CRM system, which contained customers' names, dates of birth, PIN, driver's license numbers, addresses, credit card details and call records.

A spokesman for the telco said retail and dealer staff were issued with log-in details, declining to disclose how many "secure log-in and password" combinations had been issued to date.

Passwords were typically reset "regularly", she said. All passwords were reset when Vodafone became aware of the alleged breach on Saturday, and the company has reset passwords every 24 hours since.

"We are also undertaking a detailed investigation and review of the training and process as an additional precaution," the spokesman told iTnews.

"Any unauthorised access to the portal will be taken very seriously, and would constitute a breach of employment or dealer agreement and possibly a criminal offence," she said.

Yesterday, Fairfax journalist Natalie O'Brien described using the database to reveal her personal information.

Criminal groups were reportedly paying for Vodafone customer information, while other people used the database to "check their spouses' communications", O'Brien reported.

According to the telco's chief executive Nigel Dews, any breach would have been a one-off incident caused by an employee or dealer sharing their log-in details.

But Chris Gatford, director of Australian penetration testing company Hacklabs, suggested that Vodafone's extranet was insufficiently secure.

"We're looking at very poor security controls on the most valuable data that this organisation holds," he said.

Gatford questioned why the CRM system was not protected with two-factor authentication involving both a password and another method, such as a physical token or one-time password via SMS.

Sophos's Asia Pacific head of technology Paul Ducklin wrote that the breach highlighted the dangers of making corporate data available to staff in an all-or-nothing fashion.

Vodafone promised to cooperate with the Privacy Commissioner's investigation, and planned also to conclude an internal investigation into the issue today.

Pilgrim said he had launched the investigation because he was "concerned about the amount of personal information that may have been disclosed which could include sensitive information".

While the Commissioner could not currently impose penalties following an own motion investigation, he could determine an appropriate remedy - including compensation, a change in processes, or an apology - for a privacy breach.

"Our Office is treating the investigation as a priority," he told iTnews this afternoon.

"If I find a breach of the Privacy Act following an own motion investigation, I will work with organisations to secure undertakings that they are meeting their privacy obligations and to minimise the likelihood of privacy breaches happening again."

Pilgrim urged affected customers to first contact Vodafone, and to make a complaint to the Office of the Australian Information Commissioner should Vodafone's response by unsatisfactory.