Vodafone Australia in massive data leakage controversy

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://nakedsecurity.sophos.com/2011/01/09/vodafone-australia-data-leakage-controversy/

Australian media giant Fairfax leads today with dramatic claims that
customer data from mobile phone company Vodafone Australia is
routinely falling into the wrong hands, thanks to lax database
security.

According to Fairfax, Vodafone's customer database is accessible to
all its dealers over the internet, with the result that any dealer can
look up extensive amounts of personally identifiable information
(PII), together with call and SMS history, for any customer.

The Sydney Morning Herald says that unscrupulous password-holders have
been offering what amounts to "pay-per-view" access to customer data
to third parties.

Individuals, claims the Herald, are buying information to keep track
of their spouses, whilst "criminal groups [are] paying for the private
information of some Vodafone customers to stand over them". (Standover
is the chillingly descriptive Australian vernacular for intimidation
and extortion.)

If these allegations are true - and the reporter making them describes
how she watched her own details, including complete call records,
brought up over the internet by someone with a password for the
Vodafone database - then they come at a woeful moment for Vodafone.

The company is already under the pump over ongoing network problems -
a Sydney law firm recently set up a "register here to join a class
action against Vodafone" website, and claimed on 05 January 2011 that
approximately 9000 customers have already expressed an interest. (To
be fair to Vodafone, this is one of those "no win no fee" deals, and
no-one has actually had to provide any evidence or information yet.
Talk - or its modern equivalent, clicking on a website - is cheap.)

This story is a disappointing echo of the so-called WikiLeaks
"Cablegate" drama. In this case, it is claimed that a single person,
with the lowly rank of PFC (Lance Corporal), was able to access, and
to copy unencrypted, three decades' worth of secret US State
Department diplomatic cables.

Organisational data shouldn't be accessible in an all-or-nothing
fashion like this. It isn't fair to the organisation, and it
definitely isn't fair to its customers. If you haven't yet started
thinking about how to divide-and-conquer your corporate data - and how
to divide-and-conquer the adminstration of that data - then why not
make it a 2011 New Year's Resolution to do so?
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/