Peter A Clarke

In 2 pieces in New Zealand paper Business Day  Vodafone privacy breach ‘serious’  and Vodafone alerts privacy watchdog  reports on a serious privacy breach on the Vodafone network, this time by use of a master password to access private customer information.  Curiously a customer identified the breach and notified Vodafone when he found he could access other private customer information.  A structural issue in the password system and data storage.  Very embarrassing and highlights the need to have comprehensive and reviewable password system.

The Vodafone privacy breach article provides:

Vodafone is experiencing a serious privacy breach – people with a master password are able to access private customer information, including credit card details.

The loophole was discovered by a new Vodafone customer, who said he accidentally accessed another Vodafone customer’s account with the password when he was trying to get into his.

“Everything from personal information, their phone number, their internet usage, credit card details,” said the man who did not want to be named.

“You name it, you could view it and edit it.”

All a person needed was the password and a login ID and they could access the details online.

The man called Vodafone’s contact centre on Friday to alert it to the breach and said he spent three “obnoxiously frustrating” hours on the phone.

“It came to the point where their manager said they would call me on Monday but they didn’t and I don’t think they really understood the gravity of the situation.

“I can still log in to other people’s stuff but it also means my information is not secure.

“I tried calling them again today but got put on hold again.”

Netsafe executive director Martin Cocker said it was a serious privacy breach and one which Vodafone would be urgently working on fixing.

The breach could be an issue to do with standardised passwords given to new users but could also be attributed to a number of other reasons, he said.

“Not having seen the back end of it it is hard to comment on what the actual failing is.

“The important thing is at the front end there is an important security issue and therefore it needs to be resolved.”

When contacted by Fairfax Media tonight, a Vodafone spokesman said it was not aware of the breach but, given the seriousness of the topic, would look into it as a matter of urgency.

The Vodafone alerts privacy watchdog provides:

Vodafone says it has informed the Privacy Commissioner about a data breach identified by a customer yesterday.

The customer said he had been able to access details of other people’s Vodafone’s accounts, including personal information, their internet usage and credit-card details by using a default password.

Vodafone spokeswoman Emma Carter said that according to its information it was possible only 24 fixed-line broadband accounts had been vulnerable. She denied credit-card information could have been compromised.

The customer said he called Vodafone’s contact centre on Friday to alert it to the vulnerability and spent three “obnoxiously frustrating” hours on the phone trying to report the issue.

“It came to the point where their manager said they would call me on Monday but they didn’t and I don’t think they really understood the gravity of the situation,” he said.

Carter said Vodafone investigated the issue overnight and identified a block of 100 fixed-line broadband accounts that were allocated the same initial activation password when their accounts were set up last month.

However, the company could not at this stage rule out the possibility there were more. Of the 100, 76 had changed their default password, she said.

Carter said Vodafone had now protected the remaining 24 accounts by resetting all the initial setup passwords on those accounts.

“We apologise for any concern this has caused our customers, and reassure them that it is not possible to access credit-card details or personal financial information,” she said.

Vodafone mobile customers were not affected.

Charles Mabbett, a spokesman for the Privacy Commissioner, confirmed Vodafone had reported the incident and said it appeared to be responding appropriately.