Vodafone Customer Database Breached

← Back to Stories (view on slashdot.org)

Vodafone Customer Database Breached

Posted by samzenpus on Sunday January 9, 2011 @05:31AM from the lets-see-what-we-got-here dept.

beaverdownunder writes "Vodafone has confirmed it believes its secure customer database has been breached by an employee or dealer who has shared the access password, revealing the personal details of millions of customers... According to Fairfax newspapers, 'criminal groups are paying for the private information of some customers including home addresses and credit card details.'"

105 of 136 comments (clear)

Min score:

Reason:

Sort:

Access password with no ACLs ? by ls671 · 2011-01-09 05:32 · Score: 4, Insightful

Well this sure sounds like when they need to give somebody access to *some* data, they just give her/him a username/password which then grants her/him access to the whole database.
ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.
Kind of like: You are the new guy who is managing our blog ? Here is the root password on all our systems, thanks to yp, they are the same on all machines. Have fun in your new job.

--
Everything I write is lies, read between the lines.
1. Re:Access password with no ACLs ? by Anonymous Coward · 2011-01-09 05:48 · Score: 3, Insightful
  
  The bigger problem appears to be that they don't even seem to use individual logins.
  They appear to give stores a single username and password to share (which is probably written on their screens!), and then allow their management system to be accessible from any location.
  The best bit is that some of these credentials are even posted in documents on their website if you look hard enough.
  *facedesk*
2. Re:Access password with no ACLs ? by fractoid · 2011-01-09 05:49 · Score: 1
  
  ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.
  At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this. Why the HELL would you have any sensitive customer data on an internet-facing machine?
  
  --
  Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
3. Re:Access password with no ACLs ? by Anonymous Coward · 2011-01-09 06:06 · Score: 5, Interesting
  
  ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.
  At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this. Why the HELL would you have any sensitive customer data on an internet-facing machine?
  Because you're a large corporation, therefore the worst that'll happen to you is a small slap-on-the-wrist fine.
  
  How to suddenly tighten up corporate security in one maneuver: pass a law stating that the corporate veil is null and void in the case of egregious security violations like this that even the slightest effort could have prevented, leaving the highest levels of management with their deep pockets open to personal civil suits that are NOT eligible for class-action status or any other group status. One at a time Mr. CEO. Are there thousands of victims? Well, hope you got a lot of time on your hands.
4. Re:Access password with no ACLs ? by Anonymous Coward · 2011-01-09 06:57 · Score: 1
  
  It doen't even matter if it's a massive painful fine - it all gets passed on to the customer, you betcha the management and shareholders won't suffer when averaged out over the next few years. At the worst one scapegoat will get the sack.
  What part of "the corporate veil" being "null and void" is difficult for you to understand? Reading comprehension has reached an all-time low when there are so many wasteful posts like yours.
5. Re:Access password with no ACLs ? by noidentity · 2011-01-09 07:00 · Score: 1
  
  At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this.
  
  Hopefully not for long. Change your CC number and close your account (and don't let them charge you any kind of disconnection/early termination fee).
6. Re:Access password with no ACLs ? by Peeteriz · 2011-01-09 07:10 · Score: 1
  
  The most basic call center employee needs access to data of all the customers, since any of them may call. How can you partition the data and at the same time achieve seamless customer experience wherever the customer may contact you?
7. Re:Access password with no ACLs ? by Spudley · 2011-01-09 07:30 · Score: 1
  
  You say: "very few people should be allowed to view credit card numbers".
  In fact, for them to be PCI compliant (which I would assume a company the size of Vodaphone must be), no-one should be able to access customer credit card numbers. Its shockingly bad practice if they're even on their database, let alone widely accessible.
  
  --
  (Spudley Strikes Again!)
8. Re:Access password with no ACLs ? by headshrinker · 2011-01-09 07:31 · Score: 1
  
  Pull up the data on the caller as they call? Call centre staff don't need access to my details unless I'm on the phone to them, or I have a case open that they're still helping with.
9. Re:Access password with no ACLs ? by Kalriath · 2011-01-09 07:32 · Score: 1
  
  A limited subset of data, yes. The call centre employee doesn't need access to billing for example. The billing support people do, but even they probably don't need access to CC details (perhaps some senior staff should, just so that they can deal with calls related to it). Dealer stores most definitely don't need access to that level of detail, and certainly not for every customer (even those they didn't sign up). And all this stuff sure as shit shouldn't be delivered directly over the frigging internet.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
10. Re:Access password with no ACLs ? by Pembers · 2011-01-09 07:37 · Score: 1
  
  The most basic call center employee needs access to data of all the customers, since any of them may call. How can you partition the data and at the same time achieve seamless customer experience wherever the customer may contact you?
  Partition the call centre employees according to the least significant digit or digits of the customer's telephone number. Employees A, B and C deal with customers with phone numbers ending in 0, and can only see records of those customers. Employees D, E and F deal with phone numbers ending in 1, and so on.
  This is how it was done when I worked in the civil service nearly 20 years ago (well, there it was alphabetically by customer surname, but it's the same principle). That was done for logistical convenience, because we had huge quantities of paper. The records of any customer who might call me would be within 10 feet of where I was sitting, but it had the useful side effect of making it obvious if I went looking at records I wasn't supposed to.
  Granted, this approach in itself wouldn't stop someone copying everything they can access onto a DVD, but if done properly, it would limit the number of customers who want to sue you. It would also give you a head start on figuring out which employee has gone rogue or wrote their password on a Post-It...
  
  --
  Just another wannabe fantasy novelist...
11. Re:Access password with no ACLs ? by Anonymous Coward · 2011-01-09 07:43 · Score: 1
  
  I suspect that this is indeed the case. The "enterprise" tool to access/update phone contract data comes with a windows installer that sets up a "secret" key and certificate in the windows certificate store to create a VPN connection. This key is the same for all store installations and can easily extracted by removing the "not exportable" flag when running the installer in a debugger.
12. Re:Access password with no ACLs ? by AK+Marc · 2011-01-09 07:47 · Score: 1
  
  They are on so that the customer can call in once a month and say "charge the number in my account for last month's bill."
  
  --
  Learn to love Alaska
13. Re:Access password with no ACLs ? by grahammm · 2011-01-09 08:17 · Score: 1
  
  They are on so that the customer can call in once a month and say "charge the number in my account for last month's bill."
  That does not require the CC number to be displayed. The backend system has the number stored (otherwise it could not be retrieved and displayed to the agent), so in the payment entry screen there should be "buttons" for 'charge to stored bank account', 'charge to stored Credit/Debit Card' and 'Enter the card details to be charged'.
14. Re:Access password with no ACLs ? by Pembers · 2011-01-09 08:41 · Score: 1
  
  That would probably work better, yes. Though you can bet this hack wasn't done by someone looking up the record for phone number 000-0000-0000, then 000-0000-0001, then... Perhaps as well as limiting the number of searches an employee can do, searches should be limited to returning no more than X records, where X is much smaller than the number of records in the database.
  
  --
  Just another wannabe fantasy novelist...
15. Re:Access password with no ACLs ? by Peeteriz · 2011-01-09 08:44 · Score: 1
  
  That doesn't work - when I come in person to someone, or someone has picked up my call, they don't know which customer has arrived, and forwarding later to someone else is horribly inefficient and bad service.
16. Re:Access password with no ACLs ? by turbidostato · 2011-01-09 09:51 · Score: 1
  
  "I know this is not a popular opinion here, but sometimes the "peon" implementing the system actually is lazy and useless."
  Still his manager's fault for not firing him on the spot.
  "You're advocating making senior management pay for the actions of an employee they probably never met."
  Senior management advocate they should get bonuses for the actions of all those employees they probably never meet so it's just tit-for-tat.
17. Re:Access password with no ACLs ? by anomaly256 · 2011-01-09 09:57 · Score: 1
  
  If you've ever had to use a Vodafone system or service of any kind, you'll know that the concept of forethought just doesn't exist there. The only surprise here is that something as serious as this didn't happen sooner. Although maybe it did but they managed to keep it quiet..
18. Re:Access password with no ACLs ? by oobayly · 2011-01-09 11:28 · Score: 1
  
  What we need is some kind of system where fines to the company are taken directly from the pay packets of the directors.
  It might make them actually give a shit about data security and force them to deal with these data breaches.
  If they get paid a handsome salary + bonus for the work carried out by those below them, surely they should carry the blame for mistakes made by those below them.
19. Re:Access password with no ACLs ? by mjwalshe · 2011-01-09 11:29 · Score: 1
  
  well from experience working for BT Mobile phone companies don't attract the best techies - surprised that after the news of the world phone hacking that voda hadn't tightened up on security.
20. Re:Access password with no ACLs ? by youngone · 2011-01-09 11:52 · Score: 1
  
  I deal with Vodafone (NZ) which may not be too different from Vodafone (Aus). If it is, this is probably not the stupidist thing they do. In about 36 months of dealing with them, they have never once got our invoice right the first time. They however do business in a duopoly market here in NZ, and their opposition is no better, so what is their incentive?
21. Re:Access password with no ACLs ? by zonky · 2011-01-09 13:01 · Score: 1
  
  There is no inherent protection in marking the key as 'not exportable'. There are many third party tools that will allow you to export the key if you have permissions to read it.
22. Re:Access password with no ACLs ? by Kalriath · 2011-01-09 14:45 · Score: 1
  
  Still his manager's fault for not firing him on the spot.
  No, not really. Since you can only fire someone AFTER they've done something wrong. Under AC's dumb plan, they're already liable for millions in fines, despite the potential that they actually want to fix it.
  
  Senior management advocate they should get bonuses for the actions of all those employees they probably never meet so it's just tit-for-tat.
  Well, yes. Don't get me started on management bonuses.
  (Also, hey mods: "Flamebait" doesn't fucking mean "I disagree, and wish to censor your opinion")
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
23. Re:Access password with no ACLs ? by d6 · 2011-01-09 16:38 · Score: 1
  
  >> That does not require the CC number to be displayed.
  
  Bingo. principle of least privilege. hide what isn't needed from the folks that don't need it.
  You, me and about a thousand people reading this thread probably get it.
  Sounds like their system was designed by a second semester intern
24. Re:Access password with no ACLs ? by Anonymous Coward · 2011-01-09 21:31 · Score: 1
  
  I used to work for a company that looked after data for another phone company in Australia - specifically, they used to look after scanned personal documents (credit cards, drivers licenses, etc) used for verification when people signed up. Security was a joke. There were two of us in the internal network department - we constantly tried to tell the CEO that he needed better controls; the web-based program that handled data management was outside our jurisdiction, though, and he was a pig-headed asshole.
  Out of curiosity I once used the front-facing webpage plus a username/password combo from one of the stores to look up one of my friend's details - found his credit card and DL within a heartbeat. You could look up data in a dozen different ways, including IMEI number. I figured actually taking CC details wouldn't be worth being caught, but I can almost bet nobody would have known either way.
  Said network - and it's a reasonable sized player - at the time would have been vulnerable to the same issues that Vodaphone are going through. They might have tightened security since then - and if the boss wasn't such an oblivious asshole then Vodaphone's lesson might've taught him something - but at any rate let's just say there is no way in six hells I'd ever be a customer of that particular network.
  I ended up leaving within three months, mostly because of the guy running the place.
25. Re:Access password with no ACLs ? by turbidostato · 2011-01-10 01:36 · Score: 1
  
  "No, not really. Since you can only fire someone AFTER they've done something wrong."
  True. But if that someone can do something not simply wrong but utterly wrong it's again a management failure because it means a lack of checks and ballances that they should know better to put them there.
  "Under AC's dumb plan, they're already liable for millions in fines"
  When things go well they're "liable" for millions in bonuses despite of the fact that the "good" comes from a lot of people they neither directly know nor manage. Again, "no pain, no gain": do you want the millionaire bonuses? Expose yourself to millionaire damages.
  Current situation is that great benefits and great damages are an emergent property of the system (aka "the company") but senior management want to recall the great benefits for themselves while at the same time deriving the great damages to the system. That's not only unjust but the very reason of things like BP oil spill or last financial crisis happening.
26. Re:Access password with no ACLs ? by headshrinker · 2011-01-10 01:45 · Score: 1
  
  Do what a few providers already do. On calling, the automated system asks for the telephone number of the line you're calling about, then asks for your PIN. It then transfers you to customer services.
  There's a big difference between being accessible when needed and accessible at all times.
27. Re:Access password with no ACLs ? by nikkipolya · 2011-01-12 04:33 · Score: 1
  
  ACL's? group based authorization? Lets stick to the point... we are talking about Vodafone here.
Valuable goods will be stolen by Stiletto · 2011-01-09 05:46 · Score: 4, Insightful

I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.
1. Re:Valuable goods will be stolen by fractoid · 2011-01-09 05:51 · Score: 2
  
  Your number plate is one thing. Your number plate, make of car, route to work, and usual parking place are QUITE another thing. Especially if you drive something worth stealing. Now say there's a similar leak at the main BMW showroom near you, and you drive a BMW. Cross reference the two and they now know your car's activation code. Hurrah!
  
  --
  Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
2. Re:Valuable goods will be stolen by Stiletto · 2011-01-09 06:03 · Score: 2
  
  If I drive something worth stealing, nobody is going to go through any effort that involves my number plate or other "personal information". They're going to tow it away in 45 seconds while I'm in the grocery store.
  The point is, there is no value in this particular "account number" because minus a few concocted movie-like scenarios, it cannot help anyone get anything. But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change. My name/address/ssn can be used to take out a loan in my name. This is what has to change.
3. Re:Valuable goods will be stolen by TheLink · 2011-01-09 06:26 · Score: 2
  
  But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change.
  
  But if it's too "secure", when the bank screws up (or insiders do stuff) they will deny it and convince the courts it's a valid transaction and your fault.
  --
  
  Too many replies beneath your current threshold
4. Re:Valuable goods will be stolen by mehrotra.akash · 2011-01-09 06:29 · Score: 1
  
  But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change.
  To use a credit card online, you need the CC number, the CVV number, date of expiry and an additional password(VbV/Mastercard securecode) -- 3D secure system To use it offline, the signature must match and an id proof is needed for transactions of any significant value, so i dont think the CC leaks are too much of an issue..
5. Re:Valuable goods will be stolen by nahdude812 · 2011-01-09 06:35 · Score: 2
  
  Merchants are not permitted to request ID by their merchant agreement with the credit card companies.
  Lots of places ask for it anyway, because they're who's out cash if a charge is successfully disputed. But you are not required to show ID.
  
  --
  Slay a dragon... over lunch!
6. Re:Valuable goods will be stolen by arkhan_jg · 2011-01-09 06:35 · Score: 4, Informative
  
  Tell that to the people that have had their car number plate cloned for a similar model car, and end up getting speeding tickets and congestion charges for driving in London, despite not doing anything of the sort. And good luck getting the police to believe that's not your car and number plate in the photos.
  The problem is not the openess (or not) of people's data. It's that it's trivially abused as personal data is often used as some form of ID, not least by banks, credit agencies, police and shops.
  
  --
  Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
7. Re:Valuable goods will be stolen by glyphi · 2011-01-09 06:39 · Score: 2
  
  Ohhh, so wrong - your license plate number does have a value. If you have the same make/model/colour vehicle as me I clone your plate and drive through speed cameras with impunity. I don't even have to know your name and address unless I'm stupid enough to get stopped. It's happened over here in blighty, you try proving to a copper with camera evidence of the rear of your car only that it wan't you driving. It proved difficult! Parking fines? Hehehe a thing of the past.
8. Re:Valuable goods will be stolen by Stiletto · 2011-01-09 06:47 · Score: 1
  
  No matter how many numbers are written on a credit card, they must be considered together as a single authentication factor. If the thief has access to one number physically on the card, he likely has access to all numbers on the card.
  The additional password is a good start, but relies on the merchant not being a retard and linking the password with the CC number in a way that can be compromised. Also, as we have seen over and over, however, passwords are not great security tokens because they are either easy to memorize (and easy to guess) or they are hard to memorize and likely will be written down somewhere (or stored somewhere that's protected by an easy-to-remember[guess] password.
  I'm convinced that biometrics are going to play an increasing role, since it's orders of magnitude more difficult to steal someone's eyes or fingers, or to steal the keyfob implanted on a bone in his hand than it is to steal a credit card or a password on a post-it note.
9. Re:Valuable goods will be stolen by Anonymous Coward · 2011-01-09 06:50 · Score: 1
  
  Agreed, Ryan.
10. Re:Valuable goods will be stolen by noidentity · 2011-01-09 06:58 · Score: 1
  
  Nobody cares about [my license plate number] and nobody wants to steal it. It's not valuable.
  
  Correct me if I'm wrong, but people do steal license plates; that's why there are special security bolts you can buy to attach it. If you mean just the number, how could someone steal the number itself? And if they did, would your car just have no number, even in databases?
11. Re:Valuable goods will be stolen by Peeteriz · 2011-01-09 07:16 · Score: 1
  
  Where does your info come from?
  I've worked in banking, and seen merchant agreements that say that for transactions above certain amount, if the merchant doesn't verify ID, then merchant bears the risk - thus checking ID isn't mandatory, but they are allowed to check ID and refuse transactions w/o ID. Maybe that doesn't apply to all types for merchants, but for some (say, jewelry - buying a $1000 gold necklace) Visa/Mastercard definitely allow merchants to request ID.
12. Re:Valuable goods will be stolen by mehrotra.akash · 2011-01-09 07:20 · Score: 1
  
  the merchant cannot store the password as the password is entered after you are redirected to the issuer banks site..
  However your point about weak and remembered or strong and writtendown passwords is very valid
13. Re:Valuable goods will be stolen by Bert64 · 2011-01-09 07:31 · Score: 1
  
  A signature must match the one that's prominently displayed on the back of the card ready for the thief to copy... That's assuming the merchant actually checks, because usually they don't bother. And if large transactions flag too much attention, just make lots of small transactions instead.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
14. Re:Valuable goods will be stolen by LordNacho · 2011-01-09 07:44 · Score: 2
  
  I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.
  Are you in the UK? I went to Halford's last week, and based on my number plate, the guy at the till found out what kind of car it was, and what kinds of equipment would fit. I don't know what else he had on the screen, but I'd be pretty unhappy if it had all my details such as address, insurance details, etc. Anyway, he explained it was available as a database that firms can purchase. The fact that someone does purchase it suggests it has some value.
15. Re:Valuable goods will be stolen by LordNacho · 2011-01-09 07:47 · Score: 1
  
  If you mean just the number, how could someone steal the number itself? And if they did, would your car just have no number, even in databases?
  They can have new plates printed. Various dealerships and auto equipment shops have machines that make plates. I'm sure a crook could get a hold of one.
16. Re:Valuable goods will be stolen by stonewallred · 2011-01-09 08:44 · Score: 1
  
  I am never asked for ID when using a credit card, unless I am renting a vehicle. And that has included some charges well over 4k.
17. Re:Valuable goods will be stolen by Darshu · 2011-01-09 10:30 · Score: 5, Informative
  
  On the contrary. ID is not permitted to be required. See right here:
  http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html
  [On an OT note, since when does Slashdot require me to wait for an extraordinarily long period of time when I am just trying to reply with some simple information]
18. Re:Valuable goods will be stolen by noidentity · 2011-01-09 10:45 · Score: 1
  
  Yes, but how is that theft of the number? The number copied is still there on the original vehicle. Sounds more like copying.
19. Re:Valuable goods will be stolen by oobayly · 2011-01-09 11:40 · Score: 1
  
  He'd have a system that gives him the VIN, make, model, variant, colour etc. The DVLA have cracked down on people reselling the data though, hence you don't see so many "text the reg number" services anymore. Bang went our chance to resell it in an Android app. Giving out the full VIN is a big no-no too, last 8 chars is ok to confirm it though.
  We have a similar system in the company I work for to confirm the vehicle we are underwriting. Ours also gives us the number of owners, transfer dates, whether it's been stolen as well. No mileage or finance info though. It's a pretty good service for 10p a hit.
  It's the same system that sites like webuyanycar or bestcarbuyer use. Not affiliated with either.
20. Re:Valuable goods will be stolen by walshy007 · 2011-01-09 19:30 · Score: 1
  
  It is theft in the same way as identity theft, yes you still have your identity, but so do they.
21. Re:Valuable goods will be stolen by dotancohen · 2011-01-09 19:33 · Score: 1
  
  And yet, some of those "violations" are in fact permitted:
  http://www.mastercard.com/us/merchant/support/minmax_trans_amts.html
  
  --
  It is dangerous to be right when the government is wrong.
22. Re:Valuable goods will be stolen by JunkmanUK · 2011-01-09 20:54 · Score: 1
  
  It appears in the US you need the VIN to track car details, in the UK you can use the number plate: https://www.mycarcheck.com/
23. Re:Valuable goods will be stolen by teslar · 2011-01-09 20:56 · Score: 2
  
  In Sweden, the license plate is enough to find out the name and address of the owner. It's a little bit more difficult now, but a few years ago (10-15 maybe?), a bunch of guys basically made a living out of sitting at the ferry terminals, writing down the license plates of the cars that left for Germany or Danmark, called up the authorities to find out the address of a person who was now obviously not at home and then drove there to empty the place.
24. Re:Valuable goods will be stolen by Builder · 2011-01-09 23:13 · Score: 1
  
  Have a look at http://www.askmid.com/ and you'll see that you can find out a good amount of information from just a license plate.
Australia only? by bfree · 2011-01-09 05:51 · Score: 1

Neither the summary nor TFA says if this is global or limited to a particular region or one country. At a guess because TFA comes from a .au domain and says nothing about the extent of the issue this only impacts Australian customers of Vodafone?

--
Never underestimate the dark side of the Source
1. Re:Australia only? by Spad · 2011-01-09 06:27 · Score: 1
  
  That's something I'd like to know as a UK customer of Vodafone; certainly some of their back end infrastructure is shared across regions as their web-based account management is universally badly designed and subject to frequent and random failures if their various national support forums are anything to go by,
2. Re:Australia only? by philj · 2011-01-09 06:43 · Score: 2
  
  Vodafone use different billing, customer care and CRM systems in each country and they aren't linked. I'm certain that this leak is only related to Australian customers.
  
  The only data flow between them would be roaming CDRs and any reporting to VF HQ.
3. Re:Australia only? by zonky · 2011-01-09 07:03 · Score: 1
  
  But i thought Vodafone used shared Egyptian call centres for multiple countries?
4. Re:Australia only? by dakameleon · 2011-01-09 10:13 · Score: 1
  
  From the reporting here in Australia, it does appear to be restricted to Australia; Vodafone has come under increasing fire here for poor service, reception and call handling issues, and this just adds a cherry to the pie that is coming for their face.
  That said, you'd better hope it's not accepted practice across the international organisation. Vodafone here recently merged with Three (Hutchison) for Australian operations, so it could be either company's policies that were the root cause of this, but both these companies are multinationals and if I was a customer of either outside Australia I'd be at least a little worried.
  
  --
  Man who leaps off cliff jumps to conclusion.
5. Re:Australia only? by stoborrobots · 2011-01-09 17:27 · Score: 2
  
  Voda NZ spokesperson states that their systems are unaffected... "We use a completely different security set-up to Australia, which would make it extremely hard for someone to access data..."
  However, their official statement on the matter does nothing to show that they were unaffected...
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
6. Re:Australia only? by AmiMoJo · 2011-01-10 00:58 · Score: 1
  
  Even if it doesn't affect the UK I have added the article to the stack I will hand over if/when my identity is stolen. These days it seems to be basically impossible to prevent your private data leaking because so many companies and organisations need it just for you to live a normal life.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Not PCI compliant by 12ahead · 2011-01-09 05:53 · Score: 1

How the heck do they get away with having retrievable credit card details in their db? Once the CC# is in the database it shouldn't be retrievable.
How many places out there don't actually follow this simple rule?
Where I work we were worried that the banks may turn off our credit card processing facilities if we don't get PCI compliant. And that is maybe 1/40 of the customer base.
I am really puzzled - how does Vodafone get away with this in the first place? No audits?
1. Re:Not PCI compliant by philj · 2011-01-09 06:46 · Score: 1
  
  Loads of places aren't PCI compliant yet.
  
  It's not trivial (or cheap) to liase with multiple billing/CRM vendors and do full PCI audits, then pay for any necessary code changes.
  
  In fact, some systems are better off replaced as it's not worth the investment upgrading legacy software. Doing so can take a good 2-3 years.
2. Re:Not PCI compliant by Bert64 · 2011-01-09 07:50 · Score: 1
  
  The PCI requirements aren't great, many are short sighted, flawed or just plain wrong...
  Also if you're a small company, they will hit you over the head and force you to comply with their requirements, if you're a huge company like vodafone you get cut a lot more slack because they don't want to lose your business.
  Most PCI consultants are geared up towards "how can we get through this with the minimum of disruption" rather than "how can we improve security", they comply with the letter of the pci regulations but not necessarily the spirit, and will often try to find loopholes.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
3. Re:Not PCI compliant by stoborrobots · 2011-01-09 17:31 · Score: 1
  
  I assume by
  
  Once the CC# is in the database it shouldn't be retrievable.
  he meant something fairly similar to
  
  stored in encrypted form and restricted access.
  Admittedly, those statements aren't identical, but they're close enough for the vast majority of the employees....
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
Secure customer database? by ido50 · 2011-01-09 05:54 · Score: 2

I don't think you can still call it "secure".
1. Re:Secure customer database? by countertrolling · 2011-01-09 06:06 · Score: 1
  
  It's the mother of all oxymorons
  
  --
  For justice, we must go to Don Corleone
2. Re:Secure customer database? by TheRaven64 · 2011-01-09 06:32 · Score: 3, Funny
  
  It's just a missing hyphen. They meant secure-customer database. They put their insecure customers in another database and send them reassuring text messages periodically.
  
  --
  I am TheRaven on Soylent News
3. Re:Secure customer database? by wvmarle · 2011-01-09 19:32 · Score: 1
  
  Everything is as strong as the weakest link - and in case of computer security that weakest link is usually the human factor.
  Indeed in this case they talk about shared passwords. The database may be very secure, but when people having access rights share those rights with unauthorised parties well then security is breached. Which doesn't mean the database itself is not secure though.
Re:Let me be the first to say by bfree · 2011-01-09 05:54 · Score: 2

Vodafone

Vodafone Group plc (LSE: VOD, NASDAQ: VOD) is a global telecommunications company headquartered in Newbury, United Kingdom. It is the world's largest mobile telecommunications company measured by revenues and the world's second-largest measured by subscribers (behind China Mobile), with around 332 million proportionate subscribers as of 30 September 2010.[2][3] It operates networks in over 30 countries and has partner networks in over 40 additional countries.[4] It owns 45% of Verizon Wireless, the largest mobile telecommunications company in the United States measured by subscribers.

--
Never underestimate the dark side of the Source
Re:Let me be the first to say by laughingcoyote · 2011-01-09 06:00 · Score: 1

Seems it would be this.

--
To fight the war on terror, stop being afraid.
Make them pay! by Goglu · 2011-01-09 06:01 · Score: 1

First, make it mandatory to disclaim when a breach occurs, with a criminal penalty (making their management accessory to the crimes in which this breached information may be used). When we'll make companies responsible for the damage they cause, they will be more careful with the information. Actually, I'd expect them to tackle the problem at its source and stop collecting unnecessary information altogether... or implement good security measures.

We have a situation where the cost of acquiring and possessing information is next to nothing, but using it has a value. Let's re-establish the balance by making sure that the cost of possession reflects the reality.
1. Re:Make them pay! by Anonymous Coward · 2011-01-09 07:32 · Score: 1
  
  I hope it sinks them and Philip Green the tax avoiding sunofabitch
  http://www.ukuncut.org.uk/targets
2. Re:Make them pay! by Bert64 · 2011-01-09 07:54 · Score: 1
  
  Also if a company leaks information such as card details, make *them* liable for any fraud which occurs as a result...
  When a mass fraud happens, it's quite easy to work out that all the stolen cards were used with the same company.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Breached? Or "leaked"? by countertrolling · 2011-01-09 06:09 · Score: 1

Neat way of selling your database, then claiming it was stolen...

--
For justice, we must go to Don Corleone
Re:Password Changes by Anonymous Coward · 2011-01-09 06:09 · Score: 1

From the Article:
"I'm not concerned about the brand at the moment, I'm mostly concerned about making sure our customers' records are safe."
"And that's why we're resetting those passwords every 24 hours. "
So I guess
Today's password is "password01092011" tomorrow's password is "password01102011" Terminals labels will be changed to password = password + today's date.
Why dealers? by jamesl · 2011-01-09 06:11 · Score: 1

Why oh why would Vodaphone give a DEALER the credentials necessary to access " ... the personal details of millions of customers ... "?
1. Re:Why dealers? by citizenr · 2011-01-09 06:47 · Score: 1
  
  Why oh why would Vodaphone give a DEALER the credentials necessary to access " ... the personal details of millions of customers ... "?
  so the next time you enter small dealer he can offer you an upgrade to a more expensive service.
  
  --
  Who logs in to gdm? Not I, said the duck.
2. Re:Why dealers? by Alain+Williams · 2011-01-09 08:25 · Score: 2
  
  so the next time you enter small dealer he can offer you an upgrade to a more expensive service.
  Or as happened to me: a dealer ''sold me a phone'' -- what he did was to lie and tell vodafone that he had done so and collected his kick-back from vodafone for doing so. The first that I knew about it was many months later when I cancelled my contract of some 5 years and vodafone wanted me to pay them some fee since they thought that I had a new phone and new contract!
  I wonder where he got all the details about me from, had the Vodafone database been abused many years ago, so how many times since ?
  I eventually got them to back down, but I never got a letter of apology -- they don't seem to give a damn.
  As far as I am concerned: Vodafone suck -- don't go near them.
Well at least they notified us so that we can... by thomasdz · 2011-01-09 06:34 · Score: 1

OK, everyone...we've been notified...
everybody change their name & move so that the bad guys cannot use this information and we can sit back and laugh at them.

--
Karma: Excellent. 15 moderator points expire sometime.
As A Vodafone Customer... by thatbloke83 · 2011-01-09 06:36 · Score: 1

This does make me a little nervous... Time to change a few passwords methinks.
1. Re:As A Vodafone Customer... by AliasMarlowe · 2011-01-09 06:49 · Score: 1
  
  This does make me a little nervous... Time to change a few passwords methinks.
  If TFA is correct, it's your home address and credit card numbers that might need to be changed...
  Your passwords are probably OK.
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Prepaid SIMs by icebraining · 2011-01-09 06:54 · Score: 2

Yet another reason to use Prepaid SIMs in my phones. My phone company doesn't even know my full name nor phone model, much less my CC number.

--
Dilbert RSS feed
1. Re:Prepaid SIMs by xded · 2011-01-09 07:17 · Score: 1
  
  In some countries, identification of phone number owner is mandatory (e.g., Italy).
2. Re:Prepaid SIMs by it0 · 2011-01-09 07:20 · Score: 1
  
  Good for you, however if you connect to them they can see your imei and depending on what other services you use from them, i'm pretty sure they have the capability to know a lot of information, the most obvious one being your phone model.
3. Re:Prepaid SIMs by Kalriath · 2011-01-09 07:38 · Score: 3, Informative
  
  Bollocks, don't you go speaking for NZ. You can just buy a voucher - with cash - and use the code printed on it to top up.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
4. Re:Prepaid SIMs by imroy · 2011-01-09 07:41 · Score: 1
  
  In some countries, identification of phone number owner is mandatory (e.g., Italy).
  That's the case here in Australia. I had to give ID when getting a prepaid SIM with Vodafone. However, I don't use a credit card (don't have one) to "recharge" the balance, so I guess all they could have on me is my home address. And mobile number, of course. So I might get some targeted junk mail and unsolicited phone calls?
5. Re:Prepaid SIMs by igreaterthanu · 2011-01-09 07:51 · Score: 2
  
  ...or you can walk to almost any store whatsoever and buy a topup anonymously with cash.
  
  --
  I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
6. Re:Prepaid SIMs by Zalchiah · 2011-01-09 09:39 · Score: 4, Informative
  
  If you have placed a SIM card in a phone, and turned that phone on, your phone company has your phone model. Your IMEI is recorded when your handset connects to your nearest Cell tower, and is recorded with every call or txt you make. Also, Siebel (the system that both Vodafone and Telstra use in Australia) automatically records this IMEI against your account. With an IMEI, it is extremely easy to find out phone model. For free. Online. http://www.numberingplans.com/?page=analysis (Sometimes it asks for a login, sometimes it doesn't. A login is free to create.)
7. Re:Prepaid SIMs by icebraining · 2011-01-09 11:22 · Score: 1
  
  Nope, prepaid is the norm here, I don't know anyone who has contract for personal phones.
  
  --
  Dilbert RSS feed
8. Re:Prepaid SIMs by Cimexus · 2011-01-09 14:02 · Score: 1
  
  You don't necessarily need to go prepaid to avoid giving a CC number. You just need to use a billing option other than 'automatic credit card deducations'.
  I've been a Vodafone AU customer for over a decade and I've always paid via Bpay. Not only is it cheaper (no credit card surcharge), but you don't have to give any personal financial information to them.
  Not that that's much comfort: "Gee, instead of leaking my name, address, phone number, drivers licence number, date of birth and credit card number ... they just have the first five of those!". Hmm. This might be the final straw for me. Vodafone used to be good but in the last year or so their network quality has deteriorated insanely ... and now this privacy breach? Pains me to say it but maybe I should move to Telstra (ewww).
9. Re:Prepaid SIMs by Billlagr · 2011-01-09 14:13 · Score: 1
  
  They don't in Aus either. Kinda the point of prepaid, you don't require a CC. You just buy the recharge vouchers over the counter at a number of different places.
10. Re:Prepaid SIMs by KiwiSurfer · 2011-01-09 14:35 · Score: 1
  
  Nope, you can buy vouchers with cash in New Zealand (I can't speak for Australia). This has been the case here since day 1 and is currently still the case -- even though credit card top ups have since been introduced as an (not very popualar) alternative option. However they can match up your voucher to where it was issued -- which some might consider a privacy issue.
11. Re:Prepaid SIMs by pinkushun · 2011-01-09 19:52 · Score: 1
  
  Same for South Africa. It even extends to prepaid.
  
  The Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA), requires compulsory registration of all SIM cards in use, and came into effect on 1 July 2009.
  
  Existing subscribers will have until December 2010 to register both their prepaid and contract SIM cards.
Time to rethink payment methods? by silanea · 2011-01-09 07:02 · Score: 1

Such breaches are the reason why I will never have a credit card. There ought to be a way to create some kind of simple ACL on payment methods: Similar to how I use a different e-mail alias for every (important) website I sign up for which I can simply change or delete if the database is breached or I receive spam, I should be able to give each company an individual authorisation code for withdrawals from my account that can only be used by that company, maybe through digital signatures, and may be subject to further limitations (no withdrawal above x, not more than a total of x withdrawn per month, each requested withdrawal must be manually authorised by me...). So even if one such code was compromised evil haxor X could do nothing with it unless they also steal the same company's payment certificate, which in an ideal world should not be stored on the same machine as their customer DB.
I can fine-tune who can do what on my media server down to ridiculous levels, but I have virtually no control over my bank account. Something is horribly wrong in this world.

--
Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
details of millions of customers by zakeria · 2011-01-09 07:34 · Score: 1

C'mon, millions of customers? this is vodafone we're talking about not o2..
1. Re:details of millions of customers by UoNTidal · 2011-01-09 08:33 · Score: 1
  
  Yes, millions - Vodafone Hutchinson Australia (which owns the Vodafone and 3 networks in Australia) had 6.3 million customers as of September 2009.
Re:Let me be the first to say by Bert64 · 2011-01-09 07:51 · Score: 3, Informative

Considering that as a vodafone customer you can travel to 30 countries and use a network owned by the same company, the roaming rates are pretty extortionate when you actually try to do so.

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Global or one country only? by fantomas · 2011-01-09 07:59 · Score: 1

Does anybody know if this was a global database or one region only?
cheers.
1. Re:Global or one country only? by Chucky_M · 2011-01-09 08:26 · Score: 1
  
  Does anybody know if this was a global database or one region only?
  cheers.
  It was regional, as another posted pointed out Vodafone uses different systems all over the world.
  
  It is bad news certainly but unless the person who built the web interface was an idiot it should have no way to extract all customer data in one go. Either way, Vodafone promised more information and we can be certain that will happen as VF is not really a single company anymore than the EU is a single country. It should be interesting as the others will be very peeved this close to the annual SOx audit and the ball is dropped like this.
Should never have been this bad by skegg · 2011-01-09 10:03 · Score: 1

Vodafone PR keeps repeating -- both in the press and on their website -- that the information was "not publicly available on the internet" which, although technically true, is disingenuous. What IS being asserted is that the credentials to access the "secure" information were well known.
So much information should never have been made public. As others have remarked, not all the breached information needed to be available online. They also should have had individual log-on's and layered access.
Also, some other systems log user queries for later audit / scrutiny (e.g. the police database here in NSW). Definitely not fool-proof but a deterrent.
Re:Let me be the first to say by Cimexus · 2011-01-09 14:08 · Score: 1

That'd be the largest mobile telecommunications company in the world.
Kinda like saying "WTF's a McDonalds?" :P
Stellar reporting by Legion303 · 2011-01-09 14:13 · Score: 1

"secure customer database has been breached"
(for extremely small values of "secure.")
Re:Let me be the first to say by KiwiSurfer · 2011-01-09 14:39 · Score: 1

Indeed. Back in the days before zonal pricing for roaming, Vodafone New Zealand used to set their roaming prices for individual foriegn networks. There were a few cases in several countries where it was cheaper to roam on a non-Vodafone network for certain types of traffic (i.e. inbound voice, outbound voice, texts, data, etc) than with a Vodafone network. I found that highly amusing at the time. However I suspect they made a lot of money off people who thought Vodafone was the cheapest roaming parnter -- when it was sometimes not the case.
Vodafone fundamentally sucks at stuff in general. by brendan.hill · 2011-01-09 15:01 · Score: 1

My company got sucked into moving several thousand numbers to Vodafone (via Crazy Johns) several years ago, suckered in by cheap prices.
The first month, their whole computer system crashed. They couldn't recover the statements and in the end we got that month for free.
The second month, every single charge on every single statement was overcharged by about 30%-40%. It took 3-4 months to get this sorted out, massively delaying our billing cycle. Eventually we had to issue 3 months of bills within several weeks which caused huge amounts of ill will (towards us, not Vodafone).
By then it had turned out that their billing system wasn't actually capable of processing the phone plan they'd sold us. It literally couldn't compute the fees. So, I had to personally develop custom software (took about 2 days) to make the micro adjustments to each item on the bills before we sent them on, then chase Vodafone for the appropriate refund. Running this internal rerate each month is now a standard part of our billing process.
In the midst of all this fucking stupidity, for about the first year, they were unable to bring up our account on screen because it was so large (kept crashing), so they couldn't effectively respond to our account enquiries.
That's just my own personal direct experience, but more broadly they're recognized as having the worst coverage, they may have a class action coming against them for unreasnoable network drop outs, and now on top of that they've demonstrated deplorable security policies.
Vodafone: you suck at life. Fuck you. Fuck you fuck you fuck you.
Vodafone also owns 45% of Verizon Wireless. by Woldscum · 2011-01-10 07:37 · Score: 1

Vodafone also owns 45% of Verizon Wireless.
http://en.wikipedia.org/wiki/Verizon_Wireless
"Cellco Partnership, doing business as Verizon Wireless, is a wireless phone provider that owns and operates the largest mobile telecommunications network in the United States, based on a total of 93.2 million U.S. subscribers, 400,000 subscribers ahead of the second largest provider, AT&T Mobility, in Q3 2010.[1] Headquartered in Basking Ridge, New Jersey,[2] the company is a joint venture of U.S. telecommunications firm Verizon Communications and British multinational mobile network operator Vodafone, with 55 and 45 percent ownership respectively."