Vodafone’s data security dirty laundry aired in public
Reports that Vodafone’s Australian operation is in the firing line of the country’s Privacy Commissioner, following the apparent placing of billing and call records of millions of its customers on a Web site whose password is only changed on a monthly basis, have been met with alarm by Philip Lieberman, Lieberman Software’s president.
The saga is a classic situation of what can happen when too many people have access to high level account credentials and corresponding sensitive information.
“The newswires are already reporting that at least one class action-style lawsuit is being prepared, and there will undoubtedly be others,” said Lieberman, adding that “it appears that someone within Vodafone Australia shared a password with an unauthorized individual.”
It is telling that Vodafone Australia’s chief exec has told the media the carrier is now resetting its passwords every 24 hours, since the monthly changes are clearly what caused the widely reported security problem for the carrier.
The fact that the carrier only became aware of the security problem when it was tipped off by a newspaper reporter on Saturday shows the potential of what can happen when you fail to secure privileged account credentials, noting that the problem appears to have been contained largely because of a tipoff by the reporter concerned.
Lieberman said: “The saga is now under active investigation by Vodafone and the fact that the Australian Privacy Commissioner is also involved, means that the situation will hopefully be contained and fully disclosed. In the longer term there may be the issue of a regulatory fine to deal with, and there has definitely been some brand damage here. There may even be lawsuits. This really is a classic case of what can happen when a company’s data security methods – or rather, an alleged lack of them – are revealed in public,” he added.
“The biggest threat to organisations,” Lieberman said, “is the lack of automated management of sensitive accounts/passwords (called privileged accounts). The persistent use of shared accounts using simple passwords and being manually managed will lead to more examples of this type of disaster. Many government and financial organisations have already upgraded their environments to use automated solutions, but it appears that only a major embarrassment and customer anger will prod companies like Vodafone to adopt an automated solution.