Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Australia Privacy Security IT

Vodafone Customer Database Breached 136

beaverdownunder writes "Vodafone has confirmed it believes its secure customer database has been breached by an employee or dealer who has shared the access password, revealing the personal details of millions of customers... According to Fairfax newspapers, 'criminal groups are paying for the private information of some customers including home addresses and credit card details.'"
This discussion has been archived. No new comments can be posted.

Vodafone Customer Database Breached

Comments Filter:
  • by ls671 ( 1122017 ) * on Sunday January 09, 2011 @12:32PM (#34815422) Homepage

    Well this sure sounds like when they need to give somebody access to *some* data, they just give her/him a username/password which then grants her/him access to the whole database.

    ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.

    Kind of like: You are the new guy who is managing our blog ? Here is the root password on all our systems, thanks to yp, they are the same on all machines. Have fun in your new job.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      The bigger problem appears to be that they don't even seem to use individual logins.

      They appear to give stores a single username and password to share (which is probably written on their screens!), and then allow their management system to be accessible from any location.

      The best bit is that some of these credentials are even posted in documents on their website if you look hard enough.

      *facedesk*

      • by Anonymous Coward

        From the Article:
        "I'm not concerned about the brand at the moment, I'm mostly concerned about making sure our customers' records are safe."

        "And that's why we're resetting those passwords every 24 hours. "

        So I guess
        Today's password is "password01092011" tomorrow's password is "password01102011" Terminals labels will be changed to password = password + today's date.

      • by Anonymous Coward
        I suspect that this is indeed the case. The "enterprise" tool to access/update phone contract data comes with a windows installer that sets up a "secret" key and certificate in the windows certificate store to create a VPN connection. This key is the same for all store installations and can easily extracted by removing the "not exportable" flag when running the installer in a debugger.
        • by zonky ( 1153039 )
          There is no inherent protection in marking the key as 'not exportable'. There are many third party tools that will allow you to export the key if you have permissions to read it.
      • I deal with Vodafone (NZ) which may not be too different from Vodafone (Aus). If it is, this is probably not the stupidist thing they do. In about 36 months of dealing with them, they have never once got our invoice right the first time. They however do business in a duopoly market here in NZ, and their opposition is no better, so what is their incentive?
    • ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.

      At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this. Why the HELL would you have any sensitive customer data on an internet-facing machine?

      • by Anonymous Coward on Sunday January 09, 2011 @01:06PM (#34815660)

        ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.

        At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this. Why the HELL would you have any sensitive customer data on an internet-facing machine?

        Because you're a large corporation, therefore the worst that'll happen to you is a small slap-on-the-wrist fine.

        How to suddenly tighten up corporate security in one maneuver: pass a law stating that the corporate veil is null and void in the case of egregious security violations like this that even the slightest effort could have prevented, leaving the highest levels of management with their deep pockets open to personal civil suits that are NOT eligible for class-action status or any other group status. One at a time Mr. CEO. Are there thousands of victims? Well, hope you got a lot of time on your hands.

      • At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this.

        Hopefully not for long. Change your CC number and close your account (and don't let them charge you any kind of disconnection/early termination fee).

    • The most basic call center employee needs access to data of all the customers, since any of them may call. How can you partition the data and at the same time achieve seamless customer experience wherever the customer may contact you?

      • Pull up the data on the caller as they call? Call centre staff don't need access to my details unless I'm on the phone to them, or I have a case open that they're still helping with.

      • A limited subset of data, yes. The call centre employee doesn't need access to billing for example. The billing support people do, but even they probably don't need access to CC details (perhaps some senior staff should, just so that they can deal with calls related to it). Dealer stores most definitely don't need access to that level of detail, and certainly not for every customer (even those they didn't sign up). And all this stuff sure as shit shouldn't be delivered directly over the frigging interne

      • by Pembers ( 250842 )

        The most basic call center employee needs access to data of all the customers, since any of them may call. How can you partition the data and at the same time achieve seamless customer experience wherever the customer may contact you?

        Partition the call centre employees according to the least significant digit or digits of the customer's telephone number. Employees A, B and C deal with customers with phone numbers ending in 0, and can only see records of those customers. Employees D, E and F deal with phone numbers ending in 1, and so on.

        This is how it was done when I worked in the civil service nearly 20 years ago (well, there it was alphabetically by customer surname, but it's the same principle). That was done for logistical convenien

    • by Spudley ( 171066 )

      You say: "very few people should be allowed to view credit card numbers".

      In fact, for them to be PCI compliant (which I would assume a company the size of Vodaphone must be), no-one should be able to access customer credit card numbers. Its shockingly bad practice if they're even on their database, let alone widely accessible.

      • by AK Marc ( 707885 )
        They are on so that the customer can call in once a month and say "charge the number in my account for last month's bill."
        • by grahammm ( 9083 ) *

          They are on so that the customer can call in once a month and say "charge the number in my account for last month's bill."

          That does not require the CC number to be displayed. The backend system has the number stored (otherwise it could not be retrieved and displayed to the agent), so in the payment entry screen there should be "buttons" for 'charge to stored bank account', 'charge to stored Credit/Debit Card' and 'Enter the card details to be charged'.

    • If you've ever had to use a Vodafone system or service of any kind, you'll know that the concept of forethought just doesn't exist there. The only surprise here is that something as serious as this didn't happen sooner. Although maybe it did but they managed to keep it quiet..
    • well from experience working for BT Mobile phone companies don't attract the best techies - surprised that after the news of the world phone hacking that voda hadn't tightened up on security.
  • by Stiletto ( 12066 ) on Sunday January 09, 2011 @12:46PM (#34815502)

    I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.

    • Your number plate is one thing. Your number plate, make of car, route to work, and usual parking place are QUITE another thing. Especially if you drive something worth stealing. Now say there's a similar leak at the main BMW showroom near you, and you drive a BMW. Cross reference the two and they now know your car's activation code. Hurrah!
      • by Stiletto ( 12066 )

        If I drive something worth stealing, nobody is going to go through any effort that involves my number plate or other "personal information". They're going to tow it away in 45 seconds while I'm in the grocery store.

        The point is, there is no value in this particular "account number" because minus a few concocted movie-like scenarios, it cannot help anyone get anything. But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change

        • by TheLink ( 130905 )

          But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change.

          But if it's too "secure", when the bank screws up (or insiders do stuff) they will deny it and convince the courts it's a valid transaction and your fault.

        • But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change.

          To use a credit card online, you need the CC number, the CVV number, date of expiry and an additional password(VbV/Mastercard securecode) -- 3D secure system To use it offline, the signature must match and an id proof is needed for transactions of any significant value, so i dont think the CC leaks are too much of an issue..

          • Merchants are not permitted to request ID by their merchant agreement with the credit card companies.

            Lots of places ask for it anyway, because they're who's out cash if a charge is successfully disputed. But you are not required to show ID.

          • by Stiletto ( 12066 )

            No matter how many numbers are written on a credit card, they must be considered together as a single authentication factor. If the thief has access to one number physically on the card, he likely has access to all numbers on the card.

            The additional password is a good start, but relies on the merchant not being a retard and linking the password with the CC number in a way that can be compromised. Also, as we have seen over and over, however, passwords are not great security tokens because they are either ea

            • the merchant cannot store the password as the password is entered after you are redirected to the issuer banks site..
              However your point about weak and remembered or strong and writtendown passwords is very valid
          • by Bert64 ( 520050 )

            A signature must match the one that's prominently displayed on the back of the card ready for the thief to copy... That's assuming the merchant actually checks, because usually they don't bother. And if large transactions flag too much attention, just make lots of small transactions instead.

          • I am never asked for ID when using a credit card, unless I am renting a vehicle. And that has included some charges well over 4k.
    • by arkhan_jg ( 618674 ) on Sunday January 09, 2011 @01:35PM (#34815854)

      Tell that to the people that have had their car number plate cloned for a similar model car, and end up getting speeding tickets and congestion charges for driving in London, despite not doing anything of the sort. And good luck getting the police to believe that's not your car and number plate in the photos.

      The problem is not the openess (or not) of people's data. It's that it's trivially abused as personal data is often used as some form of ID, not least by banks, credit agencies, police and shops.

    • by glyphi ( 661141 )
      Ohhh, so wrong - your license plate number does have a value. If you have the same make/model/colour vehicle as me I clone your plate and drive through speed cameras with impunity. I don't even have to know your name and address unless I'm stupid enough to get stopped. It's happened over here in blighty, you try proving to a copper with camera evidence of the rear of your car only that it wan't you driving. It proved difficult! Parking fines? Hehehe a thing of the past.
    • by Anonymous Coward

      Agreed, Ryan.

    • Nobody cares about [my license plate number] and nobody wants to steal it. It's not valuable.

      Correct me if I'm wrong, but people do steal license plates; that's why there are special security bolts you can buy to attach it. If you mean just the number, how could someone steal the number itself? And if they did, would your car just have no number, even in databases?

      • If you mean just the number, how could someone steal the number itself? And if they did, would your car just have no number, even in databases?

        They can have new plates printed. Various dealerships and auto equipment shops have machines that make plates. I'm sure a crook could get a hold of one.

        • Yes, but how is that theft of the number? The number copied is still there on the original vehicle. Sounds more like copying.
    • I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.

      Are you in the UK? I went to Halford's last week, and based on my number plate, the guy at the till found out what kind of car it was, and what kinds of equipment would fit. I don't know what else he had on the screen, but I'd be pretty unhappy if it had all my details such as address, insurance details, etc. Anyway, he explained it was available as a database that firms can purchase. The fact that someone does purchase it suggests it has some value.

      • He'd have a system that gives him the VIN, make, model, variant, colour etc. The DVLA have cracked down on people reselling the data though, hence you don't see so many "text the reg number" services anymore. Bang went our chance to resell it in an Android app. Giving out the full VIN is a big no-no too, last 8 chars is ok to confirm it though.
        We have a similar system in the company I work for to confirm the vehicle we are underwriting. Ours also gives us the number of owners, transfer dates, whether it's b

      • by Builder ( 103701 )

        Have a look at http://www.askmid.com/ [askmid.com] and you'll see that you can find out a good amount of information from just a license plate.

    • by teslar ( 706653 )

      In Sweden, the license plate is enough to find out the name and address of the owner. It's a little bit more difficult now, but a few years ago (10-15 maybe?), a bunch of guys basically made a living out of sitting at the ferry terminals, writing down the license plates of the cars that left for Germany or Danmark, called up the authorities to find out the address of a person who was now obviously not at home and then drove there to empty the place.

  • Neither the summary nor TFA says if this is global or limited to a particular region or one country. At a guess because TFA comes from a .au domain and says nothing about the extent of the issue this only impacts Australian customers of Vodafone?
    • by Spad ( 470073 )

      That's something I'd like to know as a UK customer of Vodafone; certainly some of their back end infrastructure is shared across regions as their web-based account management is universally badly designed and subject to frequent and random failures if their various national support forums are anything to go by,

    • by philj ( 13777 )
      Vodafone use different billing, customer care and CRM systems in each country and they aren't linked. I'm certain that this leak is only related to Australian customers.

      The only data flow between them would be roaming CDRs and any reporting to VF HQ.
    • by AmiMoJo ( 196126 )

      Even if it doesn't affect the UK I have added the article to the stack I will hand over if/when my identity is stolen. These days it seems to be basically impossible to prevent your private data leaking because so many companies and organisations need it just for you to live a normal life.

  • How the heck do they get away with having retrievable credit card details in their db? Once the CC# is in the database it shouldn't be retrievable.

    How many places out there don't actually follow this simple rule?

    Where I work we were worried that the banks may turn off our credit card processing facilities if we don't get PCI compliant. And that is maybe 1/40 of the customer base.

    I am really puzzled - how does Vodafone get away with this in the first place? No audits?

    • by philj ( 13777 )
      Loads of places aren't PCI compliant yet.

      It's not trivial (or cheap) to liase with multiple billing/CRM vendors and do full PCI audits, then pay for any necessary code changes.

      In fact, some systems are better off replaced as it's not worth the investment upgrading legacy software. Doing so can take a good 2-3 years.
    • by Bert64 ( 520050 )

      The PCI requirements aren't great, many are short sighted, flawed or just plain wrong...

      Also if you're a small company, they will hit you over the head and force you to comply with their requirements, if you're a huge company like vodafone you get cut a lot more slack because they don't want to lose your business.

      Most PCI consultants are geared up towards "how can we get through this with the minimum of disruption" rather than "how can we improve security", they comply with the letter of the pci regulations

  • I don't think you can still call it "secure".
    • It's the mother of all oxymorons

    • by TheRaven64 ( 641858 ) on Sunday January 09, 2011 @01:32PM (#34815836) Journal
      It's just a missing hyphen. They meant secure-customer database. They put their insecure customers in another database and send them reassuring text messages periodically.
    • Everything is as strong as the weakest link - and in case of computer security that weakest link is usually the human factor.

      Indeed in this case they talk about shared passwords. The database may be very secure, but when people having access rights share those rights with unauthorised parties well then security is breached. Which doesn't mean the database itself is not secure though.

  • First, make it mandatory to disclaim when a breach occurs, with a criminal penalty (making their management accessory to the crimes in which this breached information may be used). When we'll make companies responsible for the damage they cause, they will be more careful with the information. Actually, I'd expect them to tackle the problem at its source and stop collecting unnecessary information altogether... or implement good security measures.

    We have a situation where the cost of acquiring and possessi
    • by Anonymous Coward

      I hope it sinks them and Philip Green the tax avoiding sunofabitch

      http://www.ukuncut.org.uk/targets

    • by Bert64 ( 520050 )

      Also if a company leaks information such as card details, make *them* liable for any fraud which occurs as a result...
      When a mass fraud happens, it's quite easy to work out that all the stolen cards were used with the same company.

  • Neat way of selling your database, then claiming it was stolen...

  • Why oh why would Vodaphone give a DEALER the credentials necessary to access " ... the personal details of millions of customers ... "?

    • Why oh why would Vodaphone give a DEALER the credentials necessary to access " ... the personal details of millions of customers ... "?

      so the next time you enter small dealer he can offer you an upgrade to a more expensive service.

      • so the next time you enter small dealer he can offer you an upgrade to a more expensive service.

        Or as happened to me: a dealer ''sold me a phone'' -- what he did was to lie and tell vodafone that he had done so and collected his kick-back from vodafone for doing so. The first that I knew about it was many months later when I cancelled my contract of some 5 years and vodafone wanted me to pay them some fee since they thought that I had a new phone and new contract!

        I wonder where he got all the details about me from, had the Vodafone database been abused many years ago, so how many times since ?

        I eventu

  • OK, everyone...we've been notified...
    everybody change their name & move so that the bad guys cannot use this information and we can sit back and laugh at them.

  • This does make me a little nervous... Time to change a few passwords methinks.
    • This does make me a little nervous... Time to change a few passwords methinks.

      If TFA is correct, it's your home address and credit card numbers that might need to be changed...
      Your passwords are probably OK.

  • by icebraining ( 1313345 ) on Sunday January 09, 2011 @01:54PM (#34815982) Homepage

    Yet another reason to use Prepaid SIMs in my phones. My phone company doesn't even know my full name nor phone model, much less my CC number.

    • by xded ( 1046894 )
      In some countries, identification of phone number owner is mandatory (e.g., Italy).
      • by imroy ( 755 )

        In some countries, identification of phone number owner is mandatory (e.g., Italy).

        That's the case here in Australia. I had to give ID when getting a prepaid SIM with Vodafone. However, I don't use a credit card (don't have one) to "recharge" the balance, so I guess all they could have on me is my home address. And mobile number, of course. So I might get some targeted junk mail and unsolicited phone calls?

      • Same for South Africa. It even extends to prepaid. [hellkom.co.za]

        The Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA), requires compulsory registration of all SIM cards in use, and came into effect on 1 July 2009.

        Existing subscribers will have until December 2010 to register both their prepaid and contract SIM cards.

    • by it0 ( 567968 )

      Good for you, however if you connect to them they can see your imei and depending on what other services you use from them, i'm pretty sure they have the capability to know a lot of information, the most obvious one being your phone model.

    • Re:Prepaid SIMs (Score:4, Informative)

      by Zalchiah ( 914703 ) on Sunday January 09, 2011 @04:39PM (#34817428)
      If you have placed a SIM card in a phone, and turned that phone on, your phone company has your phone model. Your IMEI is recorded when your handset connects to your nearest Cell tower, and is recorded with every call or txt you make. Also, Siebel (the system that both Vodafone and Telstra use in Australia) automatically records this IMEI against your account. With an IMEI, it is extremely easy to find out phone model. For free. Online. http://www.numberingplans.com/?page=analysis [numberingplans.com] (Sometimes it asks for a login, sometimes it doesn't. A login is free to create.)
    • You don't necessarily need to go prepaid to avoid giving a CC number. You just need to use a billing option other than 'automatic credit card deducations'.

      I've been a Vodafone AU customer for over a decade and I've always paid via Bpay. Not only is it cheaper (no credit card surcharge), but you don't have to give any personal financial information to them.

      Not that that's much comfort: "Gee, instead of leaking my name, address, phone number, drivers licence number, date of birth and credit card number ... th

  • Such breaches are the reason why I will never have a credit card. There ought to be a way to create some kind of simple ACL on payment methods: Similar to how I use a different e-mail alias for every (important) website I sign up for which I can simply change or delete if the database is breached or I receive spam, I should be able to give each company an individual authorisation code for withdrawals from my account that can only be used by that company, maybe through digital signatures, and may be subject

  • C'mon, millions of customers? this is vodafone we're talking about not o2..
  • Does anybody know if this was a global database or one region only?

    cheers.

    • Does anybody know if this was a global database or one region only?

      cheers.

      It was regional, as another posted pointed out Vodafone uses different systems all over the world.

      It is bad news certainly but unless the person who built the web interface was an idiot it should have no way to extract all customer data in one go. Either way, Vodafone promised more information and we can be certain that will happen as VF is not really a single company anymore than the EU is a single country. It should be interesting as the others will be very peeved this close to the annual SOx audit and

  • Vodafone PR keeps repeating -- both in the press and on their website [vodafone.com.au] -- that the information was "not publicly available on the internet" which, although technically true, is disingenuous. What IS being asserted is that the credentials to access the "secure" information were well known.

    So much information should never have been made public. As others have remarked, not all the breached information needed to be available online. They also should have had individual log-on's and layered access.

    Also, some oth

  • "secure customer database has been breached"

    (for extremely small values of "secure.")

"Hello again, Peabody here..." -- Mister Peabody

Working...