Vodafone Customer Database Breached

beaverdownunder writes "Vodafone has confirmed it believes its secure customer database has been breached by an employee or dealer who has shared the access password, revealing the personal details of millions of customers... According to Fairfax newspapers, 'criminal groups are paying for the private information of some customers including home addresses and credit card details.'"

Access password with no ACLs ?

[ls671]

Well this sure sounds like when they need to give somebody access to *some* data, they just give her/him a username/password which then grants her/him access to the whole database.

ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.

Kind of like: You are the new guy who is managing our blog ? Here is the root password on all our systems, thanks to yp, they are the same on all machines. Have fun in your new job.

Re:Access password with no ACLs ?

The bigger problem appears to be that they don't even seem to use individual logins.

They appear to give stores a single username and password to share (which is probably written on their screens!), and then allow their management system to be accessible from any location.

The best bit is that some of these credentials are even posted in documents on their website if you look hard enough.

*facedesk*

Valuable goods will be stolen

[Stiletto]

I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.