Vodafone failed to properly protect individuals’ data in its recent customer privacy debacle, the Privacy Commissioner has ruled.
In January a lost password is believed to have allowed online access to thousands of Vodafone customers’ private details, including credit card and call records.
The Privacy Commissioner decided Vodafone was negligent with its customer database, but pointed out that the security breach wasn’t as serious as initially reported.
It was first believed that log-in details and passwords were available via Vodafone’s website.
“We found that the claims that customer information was available on the web weren’t substantiated,” Privacy Commissioner Timothy Pilgrim said in a statement.
“(We) can find no evidence that this information was available on the internet or Vodafone’s website.”
Siebel, the customer management system used by Vodafone, has functions that can detect strange usage patterns of the system.
It found that employees were sharing log-ins, which made features designed to detect misuse redundant.
“I was particularly concerned by Vodafone’s use of shared log-ins and passwords for staff and the broad range of detailed personal information available to them,” Pilgrim says.
Vodafone responded in a statement saying: “Any unauthorized access to the portal will be taken very seriously and would constitute a breach of employment or dealer agreement and possibly a criminal offence.”
Days after the initial allegations Vodafone fired an unspecified number of NSW employees who were believed to have caused the potential leaking of details.
Vodafone has promised to review its training and IT systems as well as resetting all passwords across its databases. Pilgrim was satisfied with changes being made by the telco.
“I would have to say that I did welcome the fact that Vodafone did deal with this promptly,” he says.
Pilgrim took the opportunity to hammer home the importance of online systems security to other businesses.
“All businesses must take their customers’ privacy seriously,” he said.
“Systems should be up-to-date and secure, and staff should only have access to the information necessary for their work.”
The findings come at an interesting time for Vodafone.
As well the privacy breaches and customer backlash over poor phone reception, Roy Morgan has released figures revealing that Vodafone is now rated second last (only in front of Dodo) as the worst internet service provider in terms of customer satisfaction.