Vodafone has attracted the attention of the Office of the Australian Information Commissioner (OAIC) and Australia's communications regulator over reports an employee illegally accessed the phone records of a Fairfax journalist in 2011.
Earlier this week, The Australian published leaked emails revealing Vodafone had accessed Fairfax journalist Natalie O'Brien's mobile phone records to identify her source for story on flaws in the telco's security systems.
O'Brien had published a story in 2011 detailing the vulnerabilities within Vodafone's Siebel system that meant call records could be easily accessed.
Email exchanges published by The Australian revealed the telco discussed the serious reputational and legal consequences should its access of O'Brien's records get into the public domain.
At the time, the telco was in the midst of trying to repair damage from the 'Vodafail saga', which saw customers leave the company in droves following a period of poor customer and network service.
Vodafone has denied [pdf] any allegations of improper behaviour and said the report was false and riddled with error.
It said in 2012 it had identified an instance where a lone employee had accessed the records, and immediately commissioned an investigation. The telco said the resulting report found Vodafone management had not instructed the employee to access the data.
Current NBN CEO Bill Morrow was head of Vodafone Australia at the time the breach occurred.
At an NBN committee hearing on Monday, Morrow was grilled on whether he had referred the allegations to the police or a regulatory body.
Morrow said he had not been aware of "any of the details that are being currently reported in the news" and had not reported anything to the police.
He said he recalled a "significant case of fraud" that took place in 2012 but declined to specify.
"I do remember there was a significant case of fraud that the general counsel … took the proper steps," he said.
"I rely on the executives of the company to do a lot of things, there is no one person can do everything within a company. I'm sure you know that.
"If there was any criminal activity that I was aware of, I would've made sure it was appropriately dealt with."
But the Australian Communications and Media Authority said it had not investigated the issue. It said it was currently working with the OAIC and Vodafone on the matter.
The OAIC similarly said it had only become aware of the issue in May this year.
Should the claims be proven, Vodafone would be in breach of the Telecommunications Act.
"The ACMA is aware of the allegations now reported regarding a former Vodafone employee and the telecommunications records of a journalist," the regulator said in a statement late yesterday.
"The ACMA has not previously investigated these allegations."
"All organisations, including telecommunications providers, have an obligation under the Privacy Act 1988 to protect the personal information that they hold from misuse, interference and loss and from unauthorised access, modification or disclosure," the OAIC said.
O'Brien labelled Vodafone's alleged actions as a 'devastating invasion of privacy'.
"It is a creepy, nauseating experience to know that someone has been trawling through your mobile phone account looking at all your call records and private text messages," O'Brien said on Monday.
"The shock and anger is only compounded knowing it was because I was doing my job that I was targeted and it was my own telco that was doing it to me."