Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Vodafone Customer Database Breached

samzenpus posted more than 3 years ago | from the lets-see-what-we-got-here dept.

Australia 136

beaverdownunder writes "Vodafone has confirmed it believes its secure customer database has been breached by an employee or dealer who has shared the access password, revealing the personal details of millions of customers... According to Fairfax newspapers, 'criminal groups are paying for the private information of some customers including home addresses and credit card details.'"

cancel ×

136 comments

Sorry! There are no comments related to the filter you selected.

Access password with no ACLs ? (4, Insightful)

ls671 (1122017) | more than 3 years ago | (#34815422)

Well this sure sounds like when they need to give somebody access to *some* data, they just give her/him a username/password which then grants her/him access to the whole database.

ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.

Kind of like: You are the new guy who is managing our blog ? Here is the root password on all our systems, thanks to yp, they are the same on all machines. Have fun in your new job.

Re:Access password with no ACLs ? (0)

Anonymous Coward | more than 3 years ago | (#34815492)

"The details are reportedly accessible from any computer because they are kept on an internet site rather than Vodafone's internal system.

"Mobile phone dealers have also admitted that anyone with full access to the system can look up a customer's bills and make changes to accounts."

Bang on and and 24-hour passwords are not going to solve that problem. If you can't track account changes to a specific account, it makes it a lot harder to track and undo the changes made by a rogue employee.

Re:Access password with no ACLs ? (3, Insightful)

Anonymous Coward | more than 3 years ago | (#34815516)

The bigger problem appears to be that they don't even seem to use individual logins.

They appear to give stores a single username and password to share (which is probably written on their screens!), and then allow their management system to be accessible from any location.

The best bit is that some of these credentials are even posted in documents on their website if you look hard enough.

*facedesk*

Re:Password Changes (1)

Anonymous Coward | more than 3 years ago | (#34815690)

From the Article:
"I'm not concerned about the brand at the moment, I'm mostly concerned about making sure our customers' records are safe."

"And that's why we're resetting those passwords every 24 hours. "

So I guess
Today's password is "password01092011" tomorrow's password is "password01102011" Terminals labels will be changed to password = password + today's date.

Re:Access password with no ACLs ? (1)

Anonymous Coward | more than 3 years ago | (#34816422)

I suspect that this is indeed the case. The "enterprise" tool to access/update phone contract data comes with a windows installer that sets up a "secret" key and certificate in the windows certificate store to create a VPN connection. This key is the same for all store installations and can easily extracted by removing the "not exportable" flag when running the installer in a debugger.

Re:Access password with no ACLs ? (1)

fractoid (1076465) | more than 3 years ago | (#34815522)

ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.

At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this. Why the HELL would you have any sensitive customer data on an internet-facing machine?

Re:Access password with no ACLs ? (5, Interesting)

Anonymous Coward | more than 3 years ago | (#34815660)

ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.

At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this. Why the HELL would you have any sensitive customer data on an internet-facing machine?

Because you're a large corporation, therefore the worst that'll happen to you is a small slap-on-the-wrist fine.

How to suddenly tighten up corporate security in one maneuver: pass a law stating that the corporate veil is null and void in the case of egregious security violations like this that even the slightest effort could have prevented, leaving the highest levels of management with their deep pockets open to personal civil suits that are NOT eligible for class-action status or any other group status. One at a time Mr. CEO. Are there thousands of victims? Well, hope you got a lot of time on your hands.

Re:Access password with no ACLs ? (0)

glyphi (661141) | more than 3 years ago | (#34815930)

It doen't even matter if it's a massive painful fine - it all gets passed on to the customer, you betcha the management and shareholders won't suffer when averaged out over the next few years. At the worst one scapegoat will get the sack.

Re:Access password with no ACLs ? (1)

Anonymous Coward | more than 3 years ago | (#34815998)

It doen't even matter if it's a massive painful fine - it all gets passed on to the customer, you betcha the management and shareholders won't suffer when averaged out over the next few years. At the worst one scapegoat will get the sack.

What part of "the corporate veil" being "null and void" is difficult for you to understand? Reading comprehension has reached an all-time low when there are so many wasteful posts like yours.

Re:Access password with no ACLs ? (0)

Kalriath (849904) | more than 3 years ago | (#34816252)

Ah, so the CEO and upper management are personally responsible for anything bad that happens?

I know this is not a popular opinion here, but sometimes the "peon" implementing the system actually is lazy and useless. You're advocating making senior management pay for the actions of an employee they probably never met. Unless you think senior management (who aren't IT people, inevitably) should be vetting every single deployment for stuff they don't understand?

Your "solution" is stupider than the problem it's trying to solve. Preventing that sort of shit from happening is the point of limited liability.

Re:Access password with no ACLs ? (1)

turbidostato (878842) | more than 3 years ago | (#34817516)

"I know this is not a popular opinion here, but sometimes the "peon" implementing the system actually is lazy and useless."

Still his manager's fault for not firing him on the spot.

"You're advocating making senior management pay for the actions of an employee they probably never met."

Senior management advocate they should get bonuses for the actions of all those employees they probably never meet so it's just tit-for-tat.

Re:Access password with no ACLs ? (1)

noidentity (188756) | more than 3 years ago | (#34816006)

At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this.

Hopefully not for long. Change your CC number and close your account (and don't let them charge you any kind of disconnection/early termination fee).

Re:Access password with no ACLs ? (1)

Peeteriz (821290) | more than 3 years ago | (#34816076)

The most basic call center employee needs access to data of all the customers, since any of them may call. How can you partition the data and at the same time achieve seamless customer experience wherever the customer may contact you?

Re:Access password with no ACLs ? (1)

headshrinker (37311) | more than 3 years ago | (#34816276)

Pull up the data on the caller as they call? Call centre staff don't need access to my details unless I'm on the phone to them, or I have a case open that they're still helping with.

Re:Access password with no ACLs ? (0)

Anonymous Coward | more than 3 years ago | (#34816590)

So....let's say I've lost my phone, and I'm ringing up to get it blocked. How would you bring up my details, when I can't call from my phone? The CSR has to be able to search all customers.

What does happen, is that high value accounts (e.g. politicians, c-list celebs, etc) will only be accessible by higher level staff. General phone accounts have to be accessible by all CSRs.

Re:Access password with no ACLs ? (1)

Kalriath (849904) | more than 3 years ago | (#34816286)

A limited subset of data, yes. The call centre employee doesn't need access to billing for example. The billing support people do, but even they probably don't need access to CC details (perhaps some senior staff should, just so that they can deal with calls related to it). Dealer stores most definitely don't need access to that level of detail, and certainly not for every customer (even those they didn't sign up). And all this stuff sure as shit shouldn't be delivered directly over the frigging internet.

Re:Access password with no ACLs ? (1)

Pembers (250842) | more than 3 years ago | (#34816354)

The most basic call center employee needs access to data of all the customers, since any of them may call. How can you partition the data and at the same time achieve seamless customer experience wherever the customer may contact you?

Partition the call centre employees according to the least significant digit or digits of the customer's telephone number. Employees A, B and C deal with customers with phone numbers ending in 0, and can only see records of those customers. Employees D, E and F deal with phone numbers ending in 1, and so on.

This is how it was done when I worked in the civil service nearly 20 years ago (well, there it was alphabetically by customer surname, but it's the same principle). That was done for logistical convenience, because we had huge quantities of paper. The records of any customer who might call me would be within 10 feet of where I was sitting, but it had the useful side effect of making it obvious if I went looking at records I wasn't supposed to.

Granted, this approach in itself wouldn't stop someone copying everything they can access onto a DVD, but if done properly, it would limit the number of customers who want to sue you. It would also give you a head start on figuring out which employee has gone rogue or wrote their password on a Post-It...

Re:Access password with no ACLs ? (0)

Anonymous Coward | more than 3 years ago | (#34816542)

Partitioning the customers makes the whoile hotline inefficient and will increase wait taimes. Instead, limit the number of records per timeframe that any staffer can access, allow those who work in a callcenter to log into the system only from the callcenter and when they actually work (e.g. not at night or at a weekend when it's not their shift).

Re:Access password with no ACLs ? (1)

Pembers (250842) | more than 3 years ago | (#34816934)

That would probably work better, yes. Though you can bet this hack wasn't done by someone looking up the record for phone number 000-0000-0000, then 000-0000-0001, then... Perhaps as well as limiting the number of searches an employee can do, searches should be limited to returning no more than X records, where X is much smaller than the number of records in the database.

Re:Access password with no ACLs ? (1)

Peeteriz (821290) | more than 3 years ago | (#34816968)

That doesn't work - when I come in person to someone, or someone has picked up my call, they don't know which customer has arrived, and forwarding later to someone else is horribly inefficient and bad service.

Re:Access password with no ACLs ? (1)

Spudley (171066) | more than 3 years ago | (#34816260)

You say: "very few people should be allowed to view credit card numbers".

In fact, for them to be PCI compliant (which I would assume a company the size of Vodaphone must be), no-one should be able to access customer credit card numbers. Its shockingly bad practice if they're even on their database, let alone widely accessible.

Re:Access password with no ACLs ? (1)

AK Marc (707885) | more than 3 years ago | (#34816452)

They are on so that the customer can call in once a month and say "charge the number in my account for last month's bill."

Re:Access password with no ACLs ? (1)

grahammm (9083) | more than 3 years ago | (#34816740)

They are on so that the customer can call in once a month and say "charge the number in my account for last month's bill."

That does not require the CC number to be displayed. The backend system has the number stored (otherwise it could not be retrieved and displayed to the agent), so in the payment entry screen there should be "buttons" for 'charge to stored bank account', 'charge to stored Credit/Debit Card' and 'Enter the card details to be charged'.

Re:Access password with no ACLs ? (-1)

Anonymous Coward | more than 3 years ago | (#34817252)

> Kind of like: You are the new guy who is managing our blog ? Here is the root password on all our systems, thanks to yp, they are the same on all machines. Have fun in your new job.

This IS the norm though in the Unix/Linux/Webhosting community. It has something to do with the Unix security model being entirely broken and not providing any effective means of separation for adminstrative privilege.

Re:Access password with no ACLs ? (1)

anomaly256 (1243020) | more than 3 years ago | (#34817562)

If you've ever had to use a Vodafone system or service of any kind, you'll know that the concept of forethought just doesn't exist there. The only surprise here is that something as serious as this didn't happen sooner. Although maybe it did but they managed to keep it quiet..

Password Breach (0)

Anonymous Coward | more than 3 years ago | (#34815452)

1234?

Valuable goods will be stolen (4, Insightful)

Stiletto (12066) | more than 3 years ago | (#34815502)

I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.

Re:Valuable goods will be stolen (2)

fractoid (1076465) | more than 3 years ago | (#34815534)

Your number plate is one thing. Your number plate, make of car, route to work, and usual parking place are QUITE another thing. Especially if you drive something worth stealing. Now say there's a similar leak at the main BMW showroom near you, and you drive a BMW. Cross reference the two and they now know your car's activation code. Hurrah!

Re:Valuable goods will be stolen (2)

Stiletto (12066) | more than 3 years ago | (#34815642)

If I drive something worth stealing, nobody is going to go through any effort that involves my number plate or other "personal information". They're going to tow it away in 45 seconds while I'm in the grocery store.

The point is, there is no value in this particular "account number" because minus a few concocted movie-like scenarios, it cannot help anyone get anything. But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change. My name/address/ssn can be used to take out a loan in my name. This is what has to change.

Re:Valuable goods will be stolen (2)

TheLink (130905) | more than 3 years ago | (#34815796)

But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change.

But if it's too "secure", when the bank screws up (or insiders do stuff) they will deny it and convince the courts it's a valid transaction and your fault.

Re:Valuable goods will be stolen (1)

mehrotra.akash (1539473) | more than 3 years ago | (#34815812)

But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change.

To use a credit card online, you need the CC number, the CVV number, date of expiry and an additional password(VbV/Mastercard securecode) -- 3D secure system To use it offline, the signature must match and an id proof is needed for transactions of any significant value, so i dont think the CC leaks are too much of an issue..

Re:Valuable goods will be stolen (2)

nahdude812 (88157) | more than 3 years ago | (#34815852)

Merchants are not permitted to request ID by their merchant agreement with the credit card companies.

Lots of places ask for it anyway, because they're who's out cash if a charge is successfully disputed. But you are not required to show ID.

Re:Valuable goods will be stolen (1)

Peeteriz (821290) | more than 3 years ago | (#34816122)

Where does your info come from?

I've worked in banking, and seen merchant agreements that say that for transactions above certain amount, if the merchant doesn't verify ID, then merchant bears the risk - thus checking ID isn't mandatory, but they are allowed to check ID and refuse transactions w/o ID. Maybe that doesn't apply to all types for merchants, but for some (say, jewelry - buying a $1000 gold necklace) Visa/Mastercard definitely allow merchants to request ID.

Re:Valuable goods will be stolen (5, Informative)

Darshu (87549) | more than 3 years ago | (#34817786)

On the contrary. ID is not permitted to be required. See right here:

http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html [mastercard.com]

[On an OT note, since when does Slashdot require me to wait for an extraordinarily long period of time when I am just trying to reply with some simple information]

Re:Valuable goods will be stolen (1)

Stiletto (12066) | more than 3 years ago | (#34815950)

No matter how many numbers are written on a credit card, they must be considered together as a single authentication factor. If the thief has access to one number physically on the card, he likely has access to all numbers on the card.

The additional password is a good start, but relies on the merchant not being a retard and linking the password with the CC number in a way that can be compromised. Also, as we have seen over and over, however, passwords are not great security tokens because they are either easy to memorize (and easy to guess) or they are hard to memorize and likely will be written down somewhere (or stored somewhere that's protected by an easy-to-remember[guess] password.

I'm convinced that biometrics are going to play an increasing role, since it's orders of magnitude more difficult to steal someone's eyes or fingers, or to steal the keyfob implanted on a bone in his hand than it is to steal a credit card or a password on a post-it note.

Re:Valuable goods will be stolen (1)

mehrotra.akash (1539473) | more than 3 years ago | (#34816178)

the merchant cannot store the password as the password is entered after you are redirected to the issuer banks site..
However your point about weak and remembered or strong and writtendown passwords is very valid

Re:Valuable goods will be stolen (1)

Bert64 (520050) | more than 3 years ago | (#34816268)

A signature must match the one that's prominently displayed on the back of the card ready for the thief to copy... That's assuming the merchant actually checks, because usually they don't bother. And if large transactions flag too much attention, just make lots of small transactions instead.

Re:Valuable goods will be stolen (1)

stonewallred (1465497) | more than 3 years ago | (#34816954)

I am never asked for ID when using a credit card, unless I am renting a vehicle. And that has included some charges well over 4k.

Re:Valuable goods will be stolen (4, Informative)

arkhan_jg (618674) | more than 3 years ago | (#34815854)

Tell that to the people that have had their car number plate cloned for a similar model car, and end up getting speeding tickets and congestion charges for driving in London, despite not doing anything of the sort. And good luck getting the police to believe that's not your car and number plate in the photos.

The problem is not the openess (or not) of people's data. It's that it's trivially abused as personal data is often used as some form of ID, not least by banks, credit agencies, police and shops.

Re:Valuable goods will be stolen (2)

glyphi (661141) | more than 3 years ago | (#34815886)

Ohhh, so wrong - your license plate number does have a value. If you have the same make/model/colour vehicle as me I clone your plate and drive through speed cameras with impunity. I don't even have to know your name and address unless I'm stupid enough to get stopped. It's happened over here in blighty, you try proving to a copper with camera evidence of the rear of your car only that it wan't you driving. It proved difficult! Parking fines? Hehehe a thing of the past.

Re:Valuable goods will be stolen (0)

Anonymous Coward | more than 3 years ago | (#34815904)

Credit card numbers need to be tied to a single merchant. So I ask my bank for a new number, and I use that for my Vodaphone account. That number should then be locked to Vodaphone's merchant ID, so only Vodaphone can charge against it, and only a maximum amount per month.

Yes, it takes 30 seconds to go on the web and gnerate a new CC number for a new purchase, but that's easy. BOA has such a thing now called ShopSafe. I've used it for years, and twice companies that had my credit card info got hacked, but I didn't care since no one can use the CC number.

The could make the CC have something like SecureID cards that the number or a 12-character passcode changes every minute.

Re:Valuable goods will be stolen (1)

Anonymous Coward | more than 3 years ago | (#34815964)

Agreed, Ryan.

Re:Valuable goods will be stolen (1)

noidentity (188756) | more than 3 years ago | (#34816002)

Nobody cares about [my license plate number] and nobody wants to steal it. It's not valuable.

Correct me if I'm wrong, but people do steal license plates; that's why there are special security bolts you can buy to attach it. If you mean just the number, how could someone steal the number itself? And if they did, would your car just have no number, even in databases?

Re:Valuable goods will be stolen (1)

LordNacho (1909280) | more than 3 years ago | (#34816444)

If you mean just the number, how could someone steal the number itself? And if they did, would your car just have no number, even in databases?

They can have new plates printed. Various dealerships and auto equipment shops have machines that make plates. I'm sure a crook could get a hold of one.

Re:Valuable goods will be stolen (1)

noidentity (188756) | more than 3 years ago | (#34817900)

Yes, but how is that theft of the number? The number copied is still there on the original vehicle. Sounds more like copying.

Re:Valuable goods will be stolen (0)

Anonymous Coward | more than 3 years ago | (#34816328)

Not exactly salient to your point but I think worth pointing out anyway.
We now know you reside in California and your car is probably a late 2009 to mid 2010 model. The plate information alone is probably not worth much but when it is combined with other 'harmless' bits of information you may have volunteered in comments here and other places it could be useful to figure out who you are and if you are worth further study.

Re:Valuable goods will be stolen (2)

LordNacho (1909280) | more than 3 years ago | (#34816428)

I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.

Are you in the UK? I went to Halford's last week, and based on my number plate, the guy at the till found out what kind of car it was, and what kinds of equipment would fit. I don't know what else he had on the screen, but I'd be pretty unhappy if it had all my details such as address, insurance details, etc. Anyway, he explained it was available as a database that firms can purchase. The fact that someone does purchase it suggests it has some value.

Let me be the first to say (0)

Anonymous Coward | more than 3 years ago | (#34815514)

WTF is a vodafone?

Re:Let me be the first to say (2)

bfree (113420) | more than 3 years ago | (#34815566)

Vodafone [wikipedia.org]

Vodafone Group plc (LSE: VOD, NASDAQ: VOD) is a global telecommunications company headquartered in Newbury, United Kingdom. It is the world's largest mobile telecommunications company measured by revenues and the world's second-largest measured by subscribers (behind China Mobile), with around 332 million proportionate subscribers as of 30 September 2010.[2][3] It operates networks in over 30 countries and has partner networks in over 40 additional countries.[4] It owns 45% of Verizon Wireless, the largest mobile telecommunications company in the United States measured by subscribers.

Re:Let me be the first to say (3, Informative)

Bert64 (520050) | more than 3 years ago | (#34816490)

Considering that as a vodafone customer you can travel to 30 countries and use a network owned by the same company, the roaming rates are pretty extortionate when you actually try to do so.

Australia only? (1)

bfree (113420) | more than 3 years ago | (#34815540)

Neither the summary nor TFA says if this is global or limited to a particular region or one country. At a guess because TFA comes from a .au domain and says nothing about the extent of the issue this only impacts Australian customers of Vodafone?

Re:Australia only? (1)

Spad (470073) | more than 3 years ago | (#34815804)

That's something I'd like to know as a UK customer of Vodafone; certainly some of their back end infrastructure is shared across regions as their web-based account management is universally badly designed and subject to frequent and random failures if their various national support forums are anything to go by,

Re:Australia only? (0)

Anonymous Coward | more than 3 years ago | (#34816816)

If they were internationally linked I believe they could well be in trouble with the UK Data Protection Act for doing so, let alone the leak.

Re:Australia only? (1)

dakameleon (1126377) | more than 3 years ago | (#34817678)

From the reporting here in Australia, it does appear to be restricted to Australia; Vodafone has come under increasing fire here for poor service, reception and call handling issues, and this just adds a cherry to the pie that is coming for their face.

That said, you'd better hope it's not accepted practice across the international organisation. Vodafone here recently merged with Three (Hutchison) for Australian operations, so it could be either company's policies that were the root cause of this, but both these companies are multinationals and if I was a customer of either outside Australia I'd be at least a little worried.

Re:Australia only? (2)

philj (13777) | more than 3 years ago | (#34815922)

Vodafone use different billing, customer care and CRM systems in each country and they aren't linked. I'm certain that this leak is only related to Australian customers.

The only data flow between them would be roaming CDRs and any reporting to VF HQ.

Re:Australia only? (1)

zonky (1153039) | more than 3 years ago | (#34816028)

But i thought Vodafone used shared Egyptian call centres for multiple countries?

Re:Australia only? (0)

Anonymous Coward | more than 3 years ago | (#34816132)

I know of 3 countries where this is not the case (I've only worked for 3 different Vodafones, and can't speak about the others).

Even if you're using a shared call center, the software doesn't have to be the same for each country.

Not PCI compliant (1)

12ahead (586157) | more than 3 years ago | (#34815556)

How the heck do they get away with having retrievable credit card details in their db? Once the CC# is in the database it shouldn't be retrievable.

How many places out there don't actually follow this simple rule?

Where I work we were worried that the banks may turn off our credit card processing facilities if we don't get PCI compliant. And that is maybe 1/40 of the customer base.

I am really puzzled - how does Vodafone get away with this in the first place? No audits?

Re:Not PCI compliant (1)

philj (13777) | more than 3 years ago | (#34815948)

Loads of places aren't PCI compliant yet.

It's not trivial (or cheap) to liase with multiple billing/CRM vendors and do full PCI audits, then pay for any necessary code changes.

In fact, some systems are better off replaced as it's not worth the investment upgrading legacy software. Doing so can take a good 2-3 years.

Re:Not PCI compliant (0)

Anonymous Coward | more than 3 years ago | (#34815962)

How the heck do they get away with having retrievable credit card details in their db? Once the CC# is in the database it shouldn't be retrievable.

Absolutely not true. PCI DSS allows you to store CC details, but they must be stored in encrypted form and restricted access.

Otherwise vendors won't be able to bill you properly.

When you check in to a hotel, they ask for a CC and swipe it. If you run up a big bill and don't show up at checkout, the hotel will bill your CC (successfully).

How many places out there don't actually follow this simple rule?

You should learn what the PCI rules are.

Re:Not PCI compliant (1)

Bert64 (520050) | more than 3 years ago | (#34816480)

The PCI requirements aren't great, many are short sighted, flawed or just plain wrong...

Also if you're a small company, they will hit you over the head and force you to comply with their requirements, if you're a huge company like vodafone you get cut a lot more slack because they don't want to lose your business.

Most PCI consultants are geared up towards "how can we get through this with the minimum of disruption" rather than "how can we improve security", they comply with the letter of the pci regulations but not necessarily the spirit, and will often try to find loopholes.

Secure customer database? (2)

ido50 (967259) | more than 3 years ago | (#34815560)

I don't think you can still call it "secure".

Re:Secure customer database? (1)

countertrolling (1585477) | more than 3 years ago | (#34815666)

It's the mother of all oxymorons

Re:Secure customer database? (3, Funny)

TheRaven64 (641858) | more than 3 years ago | (#34815836)

It's just a missing hyphen. They meant secure-customer database. They put their insecure customers in another database and send them reassuring text messages periodically.

Make them pay! (1)

Goglu (774689) | more than 3 years ago | (#34815628)

First, make it mandatory to disclaim when a breach occurs, with a criminal penalty (making their management accessory to the crimes in which this breached information may be used). When we'll make companies responsible for the damage they cause, they will be more careful with the information. Actually, I'd expect them to tackle the problem at its source and stop collecting unnecessary information altogether... or implement good security measures.

We have a situation where the cost of acquiring and possessing information is next to nothing, but using it has a value. Let's re-establish the balance by making sure that the cost of possession reflects the reality.

Re:Make them pay! (0)

Anonymous Coward | more than 3 years ago | (#34816282)

good luck. vodafone don't even pay their tax bills.

Re:Make them pay! (1)

Anonymous Coward | more than 3 years ago | (#34816298)

I hope it sinks them and Philip Green the tax avoiding sunofabitch

http://www.ukuncut.org.uk/targets

Re:Make them pay! (1)

Bert64 (520050) | more than 3 years ago | (#34816526)

Also if a company leaks information such as card details, make *them* liable for any fraud which occurs as a result...
When a mass fraud happens, it's quite easy to work out that all the stolen cards were used with the same company.

Breached? Or "leaked"? (1)

countertrolling (1585477) | more than 3 years ago | (#34815686)

Neat way of selling your database, then claiming it was stolen...

Why dealers? (1)

jamesl (106902) | more than 3 years ago | (#34815710)

Why oh why would Vodaphone give a DEALER the credentials necessary to access " ... the personal details of millions of customers ... "?

Re:Why dealers? (1)

citizenr (871508) | more than 3 years ago | (#34815952)

Why oh why would Vodaphone give a DEALER the credentials necessary to access " ... the personal details of millions of customers ... "?

so the next time you enter small dealer he can offer you an upgrade to a more expensive service.

Re:Why dealers? (2)

Alain Williams (2972) | more than 3 years ago | (#34816800)

so the next time you enter small dealer he can offer you an upgrade to a more expensive service.

Or as happened to me: a dealer ''sold me a phone'' -- what he did was to lie and tell vodafone that he had done so and collected his kick-back from vodafone for doing so. The first that I knew about it was many months later when I cancelled my contract of some 5 years and vodafone wanted me to pay them some fee since they thought that I had a new phone and new contract!

I wonder where he got all the details about me from, had the Vodafone database been abused many years ago, so how many times since ?

I eventually got them to back down, but I never got a letter of apology -- they don't seem to give a damn.

As far as I am concerned: Vodafone suck -- don't go near them.

Re:Why dealers? (0)

Anonymous Coward | more than 3 years ago | (#34817062)

That exact same thing happened to me too - about 10 years ago. I will never use them, or Telstra, or Optus. Doesn't really leave me with much choice considering 3 are now Vodafone too.

Moderators??? (-1, Offtopic)

kyrio (1091003) | more than 3 years ago | (#34815780)

Do they actually bother to edit anything before posting? Why was the word 'secure' kept in the text when it was obvious that it wasn't secure at all. Then there's the use of '...' and not having a space after it, or you know, using it properly.

Well at least they notified us so that we can... (1)

thomasdz (178114) | more than 3 years ago | (#34815846)

OK, everyone...we've been notified...
everybody change their name & move so that the bad guys cannot use this information and we can sit back and laugh at them.

As A Vodafone Customer... (1)

thatbloke83 (1529851) | more than 3 years ago | (#34815872)

This does make me a little nervous... Time to change a few passwords methinks.

Re:As A Vodafone Customer... (1)

AliasMarlowe (1042386) | more than 3 years ago | (#34815960)

This does make me a little nervous... Time to change a few passwords methinks.

If TFA is correct, it's your home address and credit card numbers that might need to be changed...
Your passwords are probably OK.

Prepaid SIMs (2)

icebraining (1313345) | more than 3 years ago | (#34815982)

Yet another reason to use Prepaid SIMs in my phones. My phone company doesn't even know my full name nor phone model, much less my CC number.

Re:Prepaid SIMs (1)

xded (1046894) | more than 3 years ago | (#34816134)

In some countries, identification of phone number owner is mandatory (e.g., Italy).

Re:Prepaid SIMs (1)

imroy (755) | more than 3 years ago | (#34816398)

In some countries, identification of phone number owner is mandatory (e.g., Italy).

That's the case here in Australia. I had to give ID when getting a prepaid SIM with Vodafone. However, I don't use a credit card (don't have one) to "recharge" the balance, so I guess all they could have on me is my home address. And mobile number, of course. So I might get some targeted junk mail and unsolicited phone calls?

Re:Prepaid SIMs (0)

Anonymous Coward | more than 3 years ago | (#34817020)

Eh, whenever I move, I update my current ID to reflect the address I am moving from. None of the government's business where the hell I live. Same with license plates and bank accounts, all records are at least one address prior, if not two. My phone, for government's and business' records is always my last phone number. My cable is in a fake name, as is my electric and gas bills. Real mail is sent to a PO box about 45 minutes from my town, and that was secured almost 10 years ago with an old address even then.

Re:Prepaid SIMs (0)

Anonymous Coward | more than 3 years ago | (#34816170)

Vodafone prepaid plans in australia/nz require credit cards for top up, and this effectively stores it in the database.

Re:Prepaid SIMs (3, Informative)

Kalriath (849904) | more than 3 years ago | (#34816368)

Bollocks, don't you go speaking for NZ. You can just buy a voucher - with cash - and use the code printed on it to top up.

Re:Prepaid SIMs (2)

igreaterthanu (1942456) | more than 3 years ago | (#34816484)

...or you can walk to almost any store whatsoever and buy a topup anonymously with cash.

Re:Prepaid SIMs (1)

it0 (567968) | more than 3 years ago | (#34816172)

Good for you, however if you connect to them they can see your imei and depending on what other services you use from them, i'm pretty sure they have the capability to know a lot of information, the most obvious one being your phone model.

Re:Prepaid SIMs (0)

Anonymous Coward | more than 3 years ago | (#34817398)

Did you ever had a contract number? then forget about your privacy, they already have your data unless you changed your cc number

Re:Prepaid SIMs (1)

icebraining (1313345) | more than 3 years ago | (#34818128)

Nope, prepaid is the norm here, I don't know anyone who has contract for personal phones.

Re:Prepaid SIMs (4, Informative)

Zalchiah (914703) | more than 3 years ago | (#34817428)

If you have placed a SIM card in a phone, and turned that phone on, your phone company has your phone model. Your IMEI is recorded when your handset connects to your nearest Cell tower, and is recorded with every call or txt you make. Also, Siebel (the system that both Vodafone and Telstra use in Australia) automatically records this IMEI against your account. With an IMEI, it is extremely easy to find out phone model. For free. Online. http://www.numberingplans.com/?page=analysis [numberingplans.com] (Sometimes it asks for a login, sometimes it doesn't. A login is free to create.)

Time to rethink payment methods? (1)

silanea (1241518) | more than 3 years ago | (#34816020)

Such breaches are the reason why I will never have a credit card. There ought to be a way to create some kind of simple ACL on payment methods: Similar to how I use a different e-mail alias for every (important) website I sign up for which I can simply change or delete if the database is breached or I receive spam, I should be able to give each company an individual authorisation code for withdrawals from my account that can only be used by that company, maybe through digital signatures, and may be subject to further limitations (no withdrawal above x, not more than a total of x withdrawn per month, each requested withdrawal must be manually authorised by me...). So even if one such code was compromised evil haxor X could do nothing with it unless they also steal the same company's payment certificate, which in an ideal world should not be stored on the same machine as their customer DB.

I can fine-tune who can do what on my media server down to ridiculous levels, but I have virtually no control over my bank account. Something is horribly wrong in this world.

International (0)

Anonymous Coward | more than 3 years ago | (#34816038)

I wonder if this affect only australia or the UK as well (and probably other country where vodaphone are).

details of millions of customers (1)

zakeria (1031430) | more than 3 years ago | (#34816318)

C'mon, millions of customers? this is vodafone we're talking about not o2..

Re:details of millions of customers (1)

UoNTidal (442382) | more than 3 years ago | (#34816862)

Yes, millions - Vodafone Hutchinson Australia (which owns the Vodafone and 3 networks in Australia) had 6.3 million customers [vodafone.com.au] as of September 2009.

Hopefully fined and sued into oblivion (0)

Anonymous Coward | more than 3 years ago | (#34816576)

Vodafone ought to communicate to each customer if his/hers details have gone awry, and held responsible for any consequences attributable to the breach now and in the future. The industry regulator ought to go in and swiftly smack them around the head. Very, very hard. From board level down to anyone who has any sort of responsibility for this at all. Several times. And land them with a fine that is outrageously high by any standard.

Global or one country only? (1)

fantomas (94850) | more than 3 years ago | (#34816578)

Does anybody know if this was a global database or one region only?

cheers.

Re:Global or one country only? (1)

Chucky_M (1708842) | more than 3 years ago | (#34816814)

Does anybody know if this was a global database or one region only?

cheers.

It was regional, as another posted pointed out Vodafone uses different systems all over the world.

It is bad news certainly but unless the person who built the web interface was an idiot it should have no way to extract all customer data in one go. Either way, Vodafone promised more information and we can be certain that will happen as VF is not really a single company anymore than the EU is a single country. It should be interesting as the others will be very peeved this close to the annual SOx audit and the ball is dropped like this.

Vodaphone customer here (0)

Anonymous Coward | more than 3 years ago | (#34817164)

This is one reason why I pay by b-pay instead of credit card. My phone number and address are already in the phone book. Not happy about calling info being revealed, but not having the c/c number out there is the main thing.

Wherever possible, I choose a service provider that will take bank transfers of bpay as a payment method rather than automatic billing by c/c. It gives you more control (such as in a dispute over billing they have to try to get the money from you rather than you trying to get it back) and prevents the number being leaked by insecure systems.

Vodafone is lying. (0)

Anonymous Coward | more than 3 years ago | (#34817436)

They don't know who did it. Was it an employee or a dealer? They don't know; it even says that in the article. So how can Vodafone say this is a "one-off"?

Because he or she hasn't been discovered, the person who did this STILL HAS ACCESS TO THEIR NETWORK.

Fuckers. Don't lie to me directly like that. I'll never trust you again.

Should never have been this bad (1)

skegg (666571) | more than 3 years ago | (#34817598)

Vodafone PR keeps repeating -- both in the press and on their website [vodafone.com.au] -- that the information was "not publicly available on the internet" which, although technically true, is disingenuous. What IS being asserted is that the credentials to access the "secure" information were well known.

So much information should never have been made public. As others have remarked, not all the breached information needed to be available online. They also should have had individual log-on's and layered access.

Also, some other systems log user queries for later audit / scrutiny (e.g. the police database here in NSW). Definitely not fool-proof [austlii.edu.au] but a deterrent.

mod D0wn (-1)

Anonymous Coward | more than 3 years ago | (#34818118)

The most. Look at NIggfer Association
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>