Vodafone Customer Database Breached

← Back to Stories (view on slashdot.org)

Vodafone Customer Database Breached

Posted by samzenpus on Sunday January 9, 2011 @05:31AM from the lets-see-what-we-got-here dept.

beaverdownunder writes "Vodafone has confirmed it believes its secure customer database has been breached by an employee or dealer who has shared the access password, revealing the personal details of millions of customers... According to Fairfax newspapers, 'criminal groups are paying for the private information of some customers including home addresses and credit card details.'"

24 of 136 comments (clear)

Min score:

Reason:

Sort:

Access password with no ACLs ? by ls671 · 2011-01-09 05:32 · Score: 4, Insightful

Well this sure sounds like when they need to give somebody access to *some* data, they just give her/him a username/password which then grants her/him access to the whole database.
ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.
Kind of like: You are the new guy who is managing our blog ? Here is the root password on all our systems, thanks to yp, they are the same on all machines. Have fun in your new job.

--
Everything I write is lies, read between the lines.
1. Re:Access password with no ACLs ? by Anonymous Coward · 2011-01-09 05:48 · Score: 3, Insightful
  
  The bigger problem appears to be that they don't even seem to use individual logins.
  They appear to give stores a single username and password to share (which is probably written on their screens!), and then allow their management system to be accessible from any location.
  The best bit is that some of these credentials are even posted in documents on their website if you look hard enough.
  *facedesk*
2. Re:Access password with no ACLs ? by Anonymous Coward · 2011-01-09 06:06 · Score: 5, Interesting
  
  ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.
  At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this. Why the HELL would you have any sensitive customer data on an internet-facing machine?
  Because you're a large corporation, therefore the worst that'll happen to you is a small slap-on-the-wrist fine.
  
  How to suddenly tighten up corporate security in one maneuver: pass a law stating that the corporate veil is null and void in the case of egregious security violations like this that even the slightest effort could have prevented, leaving the highest levels of management with their deep pockets open to personal civil suits that are NOT eligible for class-action status or any other group status. One at a time Mr. CEO. Are there thousands of victims? Well, hope you got a lot of time on your hands.
Valuable goods will be stolen by Stiletto · 2011-01-09 05:46 · Score: 4, Insightful

I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.
1. Re:Valuable goods will be stolen by fractoid · 2011-01-09 05:51 · Score: 2
  
  Your number plate is one thing. Your number plate, make of car, route to work, and usual parking place are QUITE another thing. Especially if you drive something worth stealing. Now say there's a similar leak at the main BMW showroom near you, and you drive a BMW. Cross reference the two and they now know your car's activation code. Hurrah!
  
  --
  Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
2. Re:Valuable goods will be stolen by Stiletto · 2011-01-09 06:03 · Score: 2
  
  If I drive something worth stealing, nobody is going to go through any effort that involves my number plate or other "personal information". They're going to tow it away in 45 seconds while I'm in the grocery store.
  The point is, there is no value in this particular "account number" because minus a few concocted movie-like scenarios, it cannot help anyone get anything. But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change. My name/address/ssn can be used to take out a loan in my name. This is what has to change.
3. Re:Valuable goods will be stolen by TheLink · 2011-01-09 06:26 · Score: 2
  
  But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change.
  
  But if it's too "secure", when the bank screws up (or insiders do stuff) they will deny it and convince the courts it's a valid transaction and your fault.
  --
  
  Too many replies beneath your current threshold
4. Re:Valuable goods will be stolen by nahdude812 · 2011-01-09 06:35 · Score: 2
  
  Merchants are not permitted to request ID by their merchant agreement with the credit card companies.
  Lots of places ask for it anyway, because they're who's out cash if a charge is successfully disputed. But you are not required to show ID.
  
  --
  Slay a dragon... over lunch!
5. Re:Valuable goods will be stolen by arkhan_jg · 2011-01-09 06:35 · Score: 4, Informative
  
  Tell that to the people that have had their car number plate cloned for a similar model car, and end up getting speeding tickets and congestion charges for driving in London, despite not doing anything of the sort. And good luck getting the police to believe that's not your car and number plate in the photos.
  The problem is not the openess (or not) of people's data. It's that it's trivially abused as personal data is often used as some form of ID, not least by banks, credit agencies, police and shops.
  
  --
  Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
6. Re:Valuable goods will be stolen by glyphi · 2011-01-09 06:39 · Score: 2
  
  Ohhh, so wrong - your license plate number does have a value. If you have the same make/model/colour vehicle as me I clone your plate and drive through speed cameras with impunity. I don't even have to know your name and address unless I'm stupid enough to get stopped. It's happened over here in blighty, you try proving to a copper with camera evidence of the rear of your car only that it wan't you driving. It proved difficult! Parking fines? Hehehe a thing of the past.
7. Re:Valuable goods will be stolen by LordNacho · 2011-01-09 07:44 · Score: 2
  
  I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.
  Are you in the UK? I went to Halford's last week, and based on my number plate, the guy at the till found out what kind of car it was, and what kinds of equipment would fit. I don't know what else he had on the screen, but I'd be pretty unhappy if it had all my details such as address, insurance details, etc. Anyway, he explained it was available as a database that firms can purchase. The fact that someone does purchase it suggests it has some value.
8. Re:Valuable goods will be stolen by Darshu · 2011-01-09 10:30 · Score: 5, Informative
  
  On the contrary. ID is not permitted to be required. See right here:
  http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html
  [On an OT note, since when does Slashdot require me to wait for an extraordinarily long period of time when I am just trying to reply with some simple information]
9. Re:Valuable goods will be stolen by teslar · 2011-01-09 20:56 · Score: 2
  
  In Sweden, the license plate is enough to find out the name and address of the owner. It's a little bit more difficult now, but a few years ago (10-15 maybe?), a bunch of guys basically made a living out of sitting at the ferry terminals, writing down the license plates of the cars that left for Germany or Danmark, called up the authorities to find out the address of a person who was now obviously not at home and then drove there to empty the place.
Secure customer database? by ido50 · 2011-01-09 05:54 · Score: 2

I don't think you can still call it "secure".
1. Re:Secure customer database? by TheRaven64 · 2011-01-09 06:32 · Score: 3, Funny
  
  It's just a missing hyphen. They meant secure-customer database. They put their insecure customers in another database and send them reassuring text messages periodically.
  
  --
  I am TheRaven on Soylent News
Re:Let me be the first to say by bfree · 2011-01-09 05:54 · Score: 2

Vodafone

Vodafone Group plc (LSE: VOD, NASDAQ: VOD) is a global telecommunications company headquartered in Newbury, United Kingdom. It is the world's largest mobile telecommunications company measured by revenues and the world's second-largest measured by subscribers (behind China Mobile), with around 332 million proportionate subscribers as of 30 September 2010.[2][3] It operates networks in over 30 countries and has partner networks in over 40 additional countries.[4] It owns 45% of Verizon Wireless, the largest mobile telecommunications company in the United States measured by subscribers.

--
Never underestimate the dark side of the Source
Re:Australia only? by philj · 2011-01-09 06:43 · Score: 2

Vodafone use different billing, customer care and CRM systems in each country and they aren't linked. I'm certain that this leak is only related to Australian customers.

The only data flow between them would be roaming CDRs and any reporting to VF HQ.
Prepaid SIMs by icebraining · 2011-01-09 06:54 · Score: 2

Yet another reason to use Prepaid SIMs in my phones. My phone company doesn't even know my full name nor phone model, much less my CC number.

--
Dilbert RSS feed
1. Re:Prepaid SIMs by Kalriath · 2011-01-09 07:38 · Score: 3, Informative
  
  Bollocks, don't you go speaking for NZ. You can just buy a voucher - with cash - and use the code printed on it to top up.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
2. Re:Prepaid SIMs by igreaterthanu · 2011-01-09 07:51 · Score: 2
  
  ...or you can walk to almost any store whatsoever and buy a topup anonymously with cash.
  
  --
  I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
3. Re:Prepaid SIMs by Zalchiah · 2011-01-09 09:39 · Score: 4, Informative
  
  If you have placed a SIM card in a phone, and turned that phone on, your phone company has your phone model. Your IMEI is recorded when your handset connects to your nearest Cell tower, and is recorded with every call or txt you make. Also, Siebel (the system that both Vodafone and Telstra use in Australia) automatically records this IMEI against your account. With an IMEI, it is extremely easy to find out phone model. For free. Online. http://www.numberingplans.com/?page=analysis (Sometimes it asks for a login, sometimes it doesn't. A login is free to create.)
Re:Let me be the first to say by Bert64 · 2011-01-09 07:51 · Score: 3, Informative

Considering that as a vodafone customer you can travel to 30 countries and use a network owned by the same company, the roaming rates are pretty extortionate when you actually try to do so.

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:Why dealers? by Alain+Williams · 2011-01-09 08:25 · Score: 2

so the next time you enter small dealer he can offer you an upgrade to a more expensive service.
Or as happened to me: a dealer ''sold me a phone'' -- what he did was to lie and tell vodafone that he had done so and collected his kick-back from vodafone for doing so. The first that I knew about it was many months later when I cancelled my contract of some 5 years and vodafone wanted me to pay them some fee since they thought that I had a new phone and new contract!
I wonder where he got all the details about me from, had the Vodafone database been abused many years ago, so how many times since ?
I eventually got them to back down, but I never got a letter of apology -- they don't seem to give a damn.
As far as I am concerned: Vodafone suck -- don't go near them.
Re:Australia only? by stoborrobots · 2011-01-09 17:27 · Score: 2

Voda NZ spokesperson states that their systems are unaffected... "We use a completely different security set-up to Australia, which would make it extremely hard for someone to access data..."
However, their official statement on the matter does nothing to show that they were unaffected...

--
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco