Mixed findings in Privacy Commissioner's Vodafone report

The Privacy Commissioner’s report into the alleged privacy breach of some four million Vodafone customers’ billing and call records has found failings on the telco’s behalf.

The report noted two key areas of the National Privacy Principles, NPP 2.1 and NPP 4.1, which applied to the incident.

NPP 2.1 states that organisations must only use or disclose personal information for the primary purpose for which it was collected, unless an exception under NPP 2.1 or otherwise applies.

NPP 4.1 states that an organisation collecting and holding personal information must take reasonable steps to protect that information from misuse and loss, and from unauthorised access, modification or disclosure.

“While the information available to the Privacy Commissioner showed that the reported incident was not a disclosure in breach of NPP 2.1, he considers that, at the time of the incident, Vodafone did not have an adequate level of security in place to protect the personal information it held in its Siebel system,” the report reads.

“For that reason, Vodafone did not meet its NPP 4.1 obligations.”

According to the report, the question of whether the steps taken by Vodafone to protect personal information were reasonable in the circumstances was a subjective test based on particular risks within its business.

However, it did note that the use of store loginI identification, rather than individual login identification, added to underlying data security risk.

“The use of shared loginIDs reduces the effectiveness of audit trails to assist in investigations and access control monitoring, which are important steps for organisations in protecting personal information,” the report reads.

“In practical terms, the use of shared logins means that anomalies may not be detected and if they are, they may not be able to be effectively investigated as the actions are not linked to an individual authorised user.”

The report concedes that Vodafone did, on becoming aware of the alleged disclosures, act immediately to restrict access to personal information, commence an internal investigation the incident and review its data security practices.

“These actions were a positive step to preventing any possible unauthorised access to the personal information held by Vodafone until such time as the allegations could be investigated,” the report reads.

“By way of reaching a resolution to this matter, the Privacy Commissioner welcomes Vodafone’s undertaking to improve its data security measures and requests that Vodafone report back to him about the outcome of its IT security review and progress of its implementation program.”

In a statement, Vodafone Hutchison Australia (VHA) chief executive, Nigel Dews, said the telco had outlined “immediate action” taken to strengthen data security, including login identification and authentication processes, more frequent password resets, limiting approved access points for stores and dealers, and even more stringent monitoring and detection technologies.

“There were areas that needed improvement, which this incident highlighted,” Dews said. “We responded quickly, took action with those employees involved who had shared passwords, and brought forward the implementation of a number of new security measures to better protect all customer information.”

Follow Tim Lohman on Twitter: @tlohman

Follow Computerworld Australia on Twitter: @ComputerworldAU