Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vodafone Customer Database Breached

Posted by samzenpus on from the lets-see-what-we-got-here dept.

beaverdownunder writes "Vodafone has confirmed it believes its secure customer database has been breached by an employee or dealer who has shared the access password, revealing the personal details of millions of customers... According to Fairfax newspapers, 'criminal groups are paying for the private information of some customers including home addresses and credit card details.'"

10 of 136 comments (clear)

  1. Access password with no ACLs ? by ls671 · · Score: 4, Insightful

    Well this sure sounds like when they need to give somebody access to *some* data, they just give her/him a username/password which then grants her/him access to the whole database.

    ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.

    Kind of like: You are the new guy who is managing our blog ? Here is the root password on all our systems, thanks to yp, they are the same on all machines. Have fun in your new job.

    --
    Everything I write is lies, read between the lines.
    1. Re:Access password with no ACLs ? by Anonymous Coward · · Score: 3, Insightful

      The bigger problem appears to be that they don't even seem to use individual logins.

      They appear to give stores a single username and password to share (which is probably written on their screens!), and then allow their management system to be accessible from any location.

      The best bit is that some of these credentials are even posted in documents on their website if you look hard enough.

      *facedesk*

    2. Re:Access password with no ACLs ? by Anonymous Coward · · Score: 5, Interesting

      ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.

      At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this. Why the HELL would you have any sensitive customer data on an internet-facing machine?

      Because you're a large corporation, therefore the worst that'll happen to you is a small slap-on-the-wrist fine.

      How to suddenly tighten up corporate security in one maneuver: pass a law stating that the corporate veil is null and void in the case of egregious security violations like this that even the slightest effort could have prevented, leaving the highest levels of management with their deep pockets open to personal civil suits that are NOT eligible for class-action status or any other group status. One at a time Mr. CEO. Are there thousands of victims? Well, hope you got a lot of time on your hands.

  2. Valuable goods will be stolen by Stiletto · · Score: 4, Insightful

    I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.

    1. Re:Valuable goods will be stolen by arkhan_jg · · Score: 4, Informative

      Tell that to the people that have had their car number plate cloned for a similar model car, and end up getting speeding tickets and congestion charges for driving in London, despite not doing anything of the sort. And good luck getting the police to believe that's not your car and number plate in the photos.

      The problem is not the openess (or not) of people's data. It's that it's trivially abused as personal data is often used as some form of ID, not least by banks, credit agencies, police and shops.

      --
      Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
    2. Re:Valuable goods will be stolen by Darshu · · Score: 5, Informative

      On the contrary. ID is not permitted to be required. See right here:

      http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html

      [On an OT note, since when does Slashdot require me to wait for an extraordinarily long period of time when I am just trying to reply with some simple information]

  3. Re:Secure customer database? by TheRaven64 · · Score: 3, Funny

    It's just a missing hyphen. They meant secure-customer database. They put their insecure customers in another database and send them reassuring text messages periodically.

    --
    I am TheRaven on Soylent News
  4. Re:Prepaid SIMs by Kalriath · · Score: 3, Informative

    Bollocks, don't you go speaking for NZ. You can just buy a voucher - with cash - and use the code printed on it to top up.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  5. Re:Let me be the first to say by Bert64 · · Score: 3, Informative

    Considering that as a vodafone customer you can travel to 30 countries and use a network owned by the same company, the roaming rates are pretty extortionate when you actually try to do so.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  6. Re:Prepaid SIMs by Zalchiah · · Score: 4, Informative

    If you have placed a SIM card in a phone, and turned that phone on, your phone company has your phone model. Your IMEI is recorded when your handset connects to your nearest Cell tower, and is recorded with every call or txt you make. Also, Siebel (the system that both Vodafone and Telstra use in Australia) automatically records this IMEI against your account. With an IMEI, it is extremely easy to find out phone model. For free. Online. http://www.numberingplans.com/?page=analysis (Sometimes it asks for a login, sometimes it doesn't. A login is free to create.)