The slow burn of the Vodaphone data breach story
September 18, 2015 |
Data breach notification legislation is becoming a mandatory feature of most data legislation in the developed world. There are some quirks here and there, with the USA having data breach notification in most states but not at a Federal level. There is no data breach notification legislation in Australia at a state level and very limited at a Federal level, confined to breaches relating to some health records. There is no general requirement. That has always been a concern. Given there is now mandatory data retention laws in Australia by telcos that is now a significant failing. Telecommunications firms have been notorious for their poor compliance with the privacy legislation and quite obdurate when weaknesses have been pointed out to them. The reaction by Vodaphone to what seems on even the briefest of reviews of the uncontroversial facts is a significant privacy breach highlights this point. It’s strategy is not to admit the breach but then say if there was one it was the activity of a rogue operator. Of course that means little from the perspective of complying with the provisions of the Privacy Act. There should be systems in place to deal with unauthorised access and misuse of personal information.
Vodaphone’s reaction has attracted the ire of at least one politician according to ‘Offensively inadequate’: NSW minister Victor Dominello slams Vodafone’s response to breach of Fairfax Media journalist’s privacy. This is a story which may have a slow burn but seems to have traction that something may be done.
The story provides:
Vodafone’s response to a staff member’s unauthorised access of a Fairfax Media journalist’s phone records in order to identify the source of a damaging story about the company was “offensively inadequate”, says a NSW government minister.
NSW Minister for Innovation and Better Regulation, Victor Dominello, said he was “deeply concerned” when he read reports that Vodafone allegedly breached the personal privacy of Fairfax Media investigative reporter Natalie O’Brien.
“This breach of privacy was an attack on our democracy,” he said in a comment piece published by Fairfax Media online on Thursday, ?pointing to the company’s alleged illegal accessing of her phone records, including text messages, in order to ascertain the identity of a whistleblower.
Vodafone allegedly illegally accessed the mobile phone records of Fairfax journalist Natalie O’Brien.
Vodafone allegedly illegally accessed the mobile phone records of Fairfax journalist Natalie O’Brien. Photo: Glenn Hunt
A Vodafone spokeswoman said on Saturday that a lone employee had “accessed some recent text messages and call records of a customer” in January 2011 but denied any wrongdoing on behalf of the company.
Its CEO then apologised three days later, on Tuesday, and the company said it had reported the matter to the Australian Federal Police and NSW Police, as well as to the federal privacy commissioner and the Australian Communications and Media Authority.
Fairfax journalist Natalie O’Brien
The breach occurred shortly after O’Brien published a story about a security vulnerability which saw the details of millions of Vodafone customers accessible online using widely used and shared generic passwords. O’Brien was at the time a Vodafone customer.
“The media is the 4th estate. It is absolutely essential to our democracy, to our way of life, to our freedoms,” Dominello said.
“Democracy without the 4th estate is like having lungs without air. We put in place Shield Laws to protect journalists from revealing their sources.
“The fact that Vodafone hacked into a journalist’s personal text messages and call records in order to obtain the identity of the source, is I repeat, deeply disturbing.”
He labelled Vodafone’s reaction — that the incident was essentially the result of a rogue employee — the “3 wise monkeys defence” and “offensively inadequate”.
“Telecommunication companies that operate in the 21st century are leaders in innovation and security,” he said.
“But Vodafone’s failure to take appropriate action at the time of becoming aware of breaches, to alert the police and individuals concerned, demonstrates the flagrant disregard for privacy by the organisation.”
He called on Vodafone to reveal what internal procedures existed at the time of the incident to reduce the risk of privacy breaches; what audit procedures existed to identify when privacy breaches occurred; whether Vodafone educated its employees about their responsibilities regarding the handling of personal data; whether Vodafone immediately notified the federal Privacy Commissioner and the Australian Federal Police; and to explain what changes the telco had made to improve the privacy settings for its customers following the breach.