Vodafone accused of hacking journalist’s phone, potentially a significant privacy breach

September 13, 2015 |

The Australian in Vodafone ‘hacked’ reporter’s mobile reports on, if correct, a very substantial privacy breach by a telco, to wit Vodafone, in accessing one of its customers phone records in 2011. The customer, Natalie O’Brien, is a Fairfax journalist who ran a story, Vodafone mobile records leaked earlier in 2011 about a data breach by Vodafone. Unfortunately telcos have a dreary record when it comes to poor privacy practices and are notable in being the subject of action by the Privacy Commissioner, not noted as an assertive regulator.

The article provides:

AN investigative journalist is “absolutely outraged” after her phone was hacked by telco giant Vodafone because of a damaging story.

THE company admitted on Saturday a lone employee had accessed “call charge records and text messages” in January 2011.

Fairfax Media journalist Natalie O’Brien had exposed a serious security risk in 2011 in the company’s data storage techniques, which reportedly meant the names, addresses and credit card details of millions of customers were available online using generic passwords.

Internal Vodafone documents obtained by News Limited reveal the Vodafone Group’s former Australian fraud boss, Colin Yates, sent an email in 2012 outlining his concern that the hacking of O’Brien’s phone may become public knowledge.

“This could have serious consequences given it is a breach of the Australian Telecommunications Act,” Mr Yates wrote.

“And (it) would certainly destroy all of the work done by VHA (Vodafone Hutchison Australia) over the past months to try and restore their reputation.”

Vodafone immediately commissioned an investigation by a top accounting firm into the hacking, the company said in a statement.

“The investigation found there was no evidence VHA management had instructed the employee to access the messages and that VHA staff were fully aware of their legal obligations in relation to customer information,” a spokeswoman said.

The inquiry was undertaken to establish if any employee had broken privacy laws rather than to uncover the source of the Fairfax story, she said.

“As a result of our investigation, several retail staff were dismissed for breaches of VHA security policies.”

The company “strongly denied any allegations of improper behaviour”.

O’Brien, who was not aware of the incident before the publishing of internal documents by News Limited, said she was “absolutely outraged”.

 The reaction from O’Brien in Fairfax Media journalist Natalie O’Brien: Vodafone employee accessed my text message has been predictable, one of offence and outrage.  She also calls for society to take a good look at this sort of behaviour.  The reality is that this sort of behaviour can be more than looked at.  It is a breach of the Privacy Act and the Telecommunications Act.  The problem is, and has always been, that there has never been a full throated and determined regulation by the Privacy Commissioner consistent with the provisions of the of the Privacy Act. The methodology adopted by the office is thoroughly bureaucratic; very focused on producing documents, guidelines and well written (but careful) speeches.  It is very keen on collecting and citing statistics which at first glance (only) appear impressive.  The reality is that compliance is poor and there is, in certain sectors, a culture of impunity.  That is aided and abetted by a, reasonable, assessment that the risk of real scrutiny let alone prosecution is slim. That bespeaks ineffective regulation.

The article provides:

It is a creepy, nauseating experience to know that someone has been trawling through your mobile phone account looking at all your call records and private text messages.

The invasion of privacy is devastating. It plays with your mind. What was in those texts? Who were they to? What did they see? What did they do with the information?

My front-page story in The Sun-Herald in January 2011 revealed that Vodafone’s system, Seibel, was accessible from any computer using widely-shared log-ons.
Advertisement

The story revealed that the log-ons were being passed around and given to members of the public. In some cases they had been used to track the phone calls of spouses and it was also believed that the log-ons were being given to criminal groups. This vulnerability in Vodafone’s systems was a matter of legitimate public interest.

It was serious enough that both the Office of the Information Commissioner and the Australian Communications and Media Authority launched their own investigations.

I also happened to be a Vodafone customer.

I have since learnt that immediately after the release of my story, a Vodafone employee accessed and downloaded a copy of my text messages and call records.

The shock and anger is only compounded knowing it was because I was doing my job that I was targeted and it was my own telco that was doing it to me.

The accessing of call records and text messages without a legal basis has to stop.

As a society we need to take a good look at this sort of behaviour and say it is unacceptable.

Since when did telling the truth become the wrong thing to do?

 

 

One Response to “Vodafone accused of hacking journalist’s phone, potentially a significant privacy breach”

  1. Vodafone accused of hacking journalist’s phone, potentially a significant privacy breach | Australian Law Blogs

    […] Vodafone accused of hacking journalist’s phone, potentially a significant privacy breach […]

Leave a Reply