8 Jan 2011

Will Vodafone pay for my new credit card and drivers licence numbers?

Cormac Hodgkinson, Vodafone's "Director of Customer Service and Experience" fails to reassure me when he posts this:

You may have seen recent media reports in relation to customer information – please be assured that Vodafone takes customer information and data security extremely seriously. Customer information is not ‘publicly available on the internet’. Customer information is stored on Vodafone’s internal systems and accessed via a secure web portal, accessible to authorised employees and dealers via a secure login and password.

(from http://blog.vodafone.com.au/blog/news/vodafone-customer-data-security )

The "recent media reports" he's trying to defuse presumably include:

http://www.abc.net.au/news/stories/2011/01/09/3109067.htm

http://www.smh.com.au/technology/security/mobile-security-outrage-private-det...

http://www.theage.com.au/technology/security/vodafone-mobile-records-leaked-2...

and tweets like this one:

The big claims being made (at least in the SMH and Age pieces) are:

In this new saga for Vodafone, dealers have revealed that they are frequently asked to do ''favours'' and to pass on their login details.

Because the customer database is not an intranet (internal company system) and instead on the internet, users with a password can log in to the portal from anywhere, then access any customer's information.

Vodafone retailers have said each store has a user name and password for the system. That access is shared by staff and every three months it is changed. Other mobile dealers who sell Vodafone products also get full access to the database.

Anyone with full access can look up a customer's bills and make changes to accounts. Limited access allows searching by name, which takes much longer and is more involved but can be just as effective when done correctly. ''It's scary stuff in the wrong hands,'' one dealer told this website.

So, my questions for Vodafone are:

  • Is it true that “accessible to authorised employees and dealers via a secure login and password” means “each Vodafone store has a shared login/password combination that is known/used by many staff members at that store”?
  • Do these "secure login and passwords" only allow access from store-specific network connections, or do they work from any internet connection?
  • Is there any audit trail that allows Vodafone to identify which individual staff member has made queries which reveal a customers personal information?
  • Am I going to have to get replacement credit card numbers for the 5 or 6 different credit cards that may have been used in my household to pay for any of the 6 Vodafone SIMs we use?
  • Can you assure me you haven’t potentially exposed my name, address, birthdate, and drivers licence number to anyone having access to one of those shared login/password combinations?
  • Who's going to pay for the time/money required to monitor for identity theft and change credit card number and drivers licence numbers where required?
  • And, the bonus conspiracy theory question, did you leak this yourself to distract the media from the ongoing network problems?