14 DAY TRIAL // Vodafone Australia launched an internal investigation after media reported that logins used to access sensitive customer have leaked to unauthorized persons.
The Sydney Morning Herald revealed that Vodafone's database of 4 million customers can be accessed remotely over the Internet by the telecom provider's authorized dealers.
Every store receives an unique ID and password which grants access to the system to its employees. These logins are changed after three month.
According to information obtained by the newspaper, some of these accounts have been shared with unauthorized individuals and even criminals.
If true, this is a big security breach considering that the database contains customer names, home addresses, driver's licence numbers, credit card details and even call logs.
Some people apparently used the access to check the call history of their spouses, lovers, family members or business partners.
''It appears what has happened is that somebody shared a password,'' Vodafone chief executive Nigel Dews told The Age.
''It appears to be a one-off breach and we have got out internal investigators looking into it right now. We reset our passwords last night and we are resetting them every 24 hours until that investigation is complete," he added.
Regardless of the size of the breach, the fact that such sensitive information is so easily accessible by so many people, carries a high risk of abuse.
If the Privacy Commissioner determines that Vodafone has breached the Privacy Act by not taking reasonable precautions to protect personal data, the company could face millions of compensation payments.
Lawyers who are already preparing a class action lawsuit against Vodafone for poor service, which includes dropped calls, no signal or inaccessible voicemail and data services, said they are looking into this new issue as well, with the possibility of extending the complaint.
"Organisational data shouldn't be accessible in an all-or-nothing fashion like this. It isn't fair to the organisation, and it definitely isn't fair to its customers," commented Paul Ducklin, head of technology for the Asia Pacific region at security vendor Sophos.