Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vodafone Australia Employee Searched Journalist's Phone Records To Find Source

Posted by Soulskill on from the chilling-effects dept.

An anonymous reader writes: In 2011, a journalist named Natalie O'Brien published a series of stories on security problems in Vodafone's Siebel data system. "Customers' home addresses, driver's licenses and credit card details were all available online, O'Brien wrote, and criminal groups were paying for customers' private information." Now, Vodafone Australia has admitted that an employee went through her phone and text records to try and figure out who her sources were within the company. O'Brien wrote, "The invasion of privacy is devastating. It plays with your mind. What was in those texts? Who were they to? What did they see? What did they do with the information?" Despite the admission, Vodafone has denied that it engaged in improper behavior (PDF). The company says it found no evidence the employee was directed to do so by management. That said, leaked emails show management became aware of the privacy breach and its potential repercussions as early as 2012.

65 comments

  1. "Just a totally rogue employee, not us" by NotDrWho · · Score: 1, Insightful

    ....says the CIA every time one of their agents is caught plotting an assassination, government overthrow, or arranging to help the rebels sell drugs for guns.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
    1. Re:"Just a totally rogue employee, not us" by wonkey_monkey · · Score: 5, Funny

      If any member of your team is caught or killed, Vodafone will disavow all knowledge of your actions.

      This tape will self destruct in five minutes, mate.

      --
      systemd is Roko's Basilisk.
    2. Re:"Just a totally rogue employee, not us" by U2xhc2hkb3QgU3Vja3M · · Score: 2

      Canadian version:

      If any member of your team is caught or killed, Bell Canada will disavow all knowledge of your actions.

      This tape will self destruct in five seconds, eh?

    3. Re:"Just a totally rogue employee, not us" by Anonymous Coward · · Score: 1

      Nah, the CIA doesn't even acknowledge that they're an employee at all. They just let them take the fall as a "tourist" or "hiker." As in "tourist caught hiking in Iran with a satellite phone, $50,000 in cash, and several radios and guns in his backpack--U.S. government says he's an innocent student who just crossed the border by mistake."

    4. Re:"Just a totally rogue employee, not us" by Anonymous Coward · · Score: 0

      Judging from your username you placed your password in the wrong box. How do you even log in with that?

    5. Re:"Just a totally rogue employee, not us" by Adriax · · Score: 3, Funny

      Atleast the mission impossible agents were given a choice, "Your mission, if you choose to accept it".
      Vodafone's tape starts out as "Your mission, which is a core item of your monthly performance review".

      --
      I don't suffer from insanity, I enjoy every minute of it!
    6. Re:"Just a totally rogue employee, not us" by Anonymous Coward · · Score: 0

      Probably a hash of his actual username.

    7. Re:"Just a totally rogue employee, not us" by U2xhc2hkb3QgU3Vja3M · · Score: 1

      My browser remembers stuff for me.

    8. Re: "Just a totally rogue employee, not us" by phorm · · Score: 1

      "your business is important to us, please stay on the line and the next available spy we be availabile as soon as possible"

    9. Re:"Just a totally rogue employee, not us" by Anonymous Coward · · Score: 0

      It's the definition of "management": someone who wants the authority and the pay packet but none of the responsibility. We insist on democracy for the public enterprise of state, yet persistent with feudal cronyism in private enterprise.

    10. Re:"Just a totally rogue employee, not us" by CanadianMacFan · · Score: 1

      I would have gone with Rogers.

    11. Re:"Just a totally rogue employee, not us" by Mattcelt · · Score: 1

      With vanishingly few exceptions, spies never carry guns. It's an automatic admission of guilt.

  2. Re:Victims by JustAnotherOldGuy · · Score: 1, Funny

    Ah, the victim was female. Time to fire up the media outrage machine. Let's call it what it really was: a digital rape.

    OMG you triggered me with the word 'digital', you heartless CIS-male hetero-normative bastard.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  3. Way to take the initiative by DumbSwede · · Score: 5, Insightful

    So... some guy in the data-center just take it upon himself to go look up the info on some journalist, ‘cause you know that’s what IT guys do all day long, look up stuff on people with no direction.

    The company has very strict
    controls and processes around the privacy of customer information, and has appointed a dedicated privacy officer.

    So glad they have this in place, seems to be doing a bang up job. I can totally see how some low level employee would totally disregard this to dig up dirt on a Journalist and her accomplices. Because, you know, there’s so much in it for the low level employee.

    --
    Letter To Iran
    1. Re:Way to take the initiative by Anonymous Coward · · Score: 0

      So now he will face the music "alone"...

      Let's see if the company will "fund" his defense or if he kept anything incriminating on his bosses.
      This should be fun.

    2. Re:Way to take the initiative by gstoddart · · Score: 1

      See, that's the great thing about being a corporation ... no actual liability.

      Your staff does something shady? Well, you can fire them and say "the person responsible has been sacked".

      Your management tells your staff to do something shady? Well, you can pretend like it was a rogue employee and deny all responsibility.

      As you say, I find it exceedingly difficult to believe some tech guy just decided to do this on his own. I don't believe that at all.

      --
      Lost at C:>. Found at C.
    3. Re:Way to take the initiative by Anonymous Coward · · Score: 0

      "I find it exceedingly difficult to believe some tech guy just decided to do this on his own."

      It could very well be the company trying to blame a low level employee, but I think you'd be surprised how stupid individual people can be when they have information access. I remember a story a while back about improper access of drivers license information, a rather attractive female police officer in a larger city had heard rumors of people using the license database to get a look at her (even though drivers license photos aren't usually the most flattering photo one can find), the department thought she was being paranoid but checked anyway. Her records had been accessed dozens of times by officers all over the city. Similar cases have occurred around celebrities, I think when they did an audit out in California they found one actors records had been accessed over 450 times, needless to say that none of these saw any significant penalties for those who misused their access.

  4. Re:Victims by U2xhc2hkb3QgU3Vja3M · · Score: 0

    Let's be thankful it wasn't cyber digital virtual rape!

  5. Sounds reasonable to me by flopsquad · · Score: 2

    Now, Vodafone Australia has admitted that an employee went through her phone and text records to try and figure out who her sources were within the company. . . . Despite the admission, Vodafone has denied that it engaged in improper behavior (PDF). The company says it found no evidence the employee was directed to do so by management.

    Oh. Well, as long as it was some IT vigilante whose love for Vodafone just got the better of him. Sounds fine to me!

    Probably just some sweet, over-dedicated mook who took the workplace banner too seriously. Definitely not any of the top brass directing this to happen.

    --
    Nothing posted to /. has ever been legal advice, including this.
    1. Re:Sounds reasonable to me by Anonymous Coward · · Score: 0

      Yeah, sounds like Vodaphone gets the benefits of an illegal records search and also to deny that "the company" had anything to do with that illegality.

      My goodness, being a business has all sorts of amusing benefits! Where can I sign up to become a corporation? Being a citizen is so last century, what with unlimited liability, corporate and government spying, ignorance of the law not being an excuse, and no ability to give myself unlimited pay raises. I want to be a corporation instead!

      Being a corporation means never having to say you're sorry. Or go to jail. Or admit to wrongdoing.

  6. Not directed by management by U2xhc2hkb3QgU3Vja3M · · Score: 3, Insightful

    The company says it found no evidence the employee was directed to do so by management.

    Alright people, listen up! We have a spy in our ranks. We're not ordering or even asking anyone to search for the spy, but if one of you should happen to stumble into any bit of information about this, please keep in mind that we do offer a huge bonus.

  7. "Trust Us" by Anonymous Coward · · Score: 0

    You can always trust someone else to keep your private data private, no matter what.

  8. Re:Over the top by Luthair · · Score: 4, Insightful

    Precisely how would she remove records stored in the carriers data centre?

  9. Overzealous/psychotic management by nimbius · · Score: 5, Interesting

    Its not uncommon to have middle management or even upper management that get a little overzealous with the amount of power they wield.

    Working for a hosting company, I once had a manager that was absolutely furious that we hosted a domain that endorsed abortions and facilitated service provider interactivity. my manager didnt have access to the accounts database, but she knew members of her team surely did. She wanted log summaries of people who visited, which is a request that has to go through InfoSec. Once they denied it based on lack of a warrant, she started trolling the team for info during lunch. The fact that we dont obsess over every single site, let alone her problem child, seemed to make her upset. She submitted 3 requests for content review by the abuse department, and finally quit when their manager kept sending the original report back. She hit all of us up for accounts information for the user, and even tried logging in as the tape backup administrator after finding their username in some documentation. She was eventually fired after trying to tie our performance raises for the account information.

    --
    Good people go to bed earlier.
    1. Re:Overzealous/psychotic management by Anonymous Coward · · Score: 0

      Wow.

      She was eventually fired after trying to tie our performance raises for the account information.

      I'm amazed she lasted that long.

    2. Re:Overzealous/psychotic management by Chris+Mattern · · Score: 1

      Indeed. She should have been gone, gone, gone when she tried logging on as the backup administrator, since she had no authority to use that account.

    3. Re:Overzealous/psychotic management by marovada · · Score: 1

      I think you mean 'psychopathic'

  10. Re:Over the top by Anonymous Coward · · Score: 2, Insightful

    I think she is simply making the most out of the situation for her own gain.

    Step 1: Deny. Deny. Deny.
    Step 2: Blame the victim.

  11. Two points by Anonymous Coward · · Score: 0

    1. The data existed.
    2. That's all it takes.

    1. Re:Two points by r-diddly · · Score: 1

      That's sort of one point.

  12. A perfect example by Somebody+Is+Using+My · · Score: 4, Insightful

    This case is a perfect example of why this sort of data should be encrypted on the device and in no way accessible to anyone except the owner. Because if there is a backdoor to this data, whether protected by "procedure" or a escrowed key, it /will/ be abused. If it is not the government abusing this privilege, then it will be by a corporation, or by an individual with a personal grudge, or by criminal elements (or even worse, by marketing departments!). It doesn't matter what sort of "controls" you put on those back-doors, ultimately they will be ignored and abused. The number of people who get "hacked" in this way may be low, but even one is too many.

    This case should be dredged up every time a law-enforcement agency insists that easy access to personal data are a necessity in this digital age. They claim that there are protections in place to prevent this sort of thing; evidence (and common sense) show that this is nonsense. The only way to prevent this sort of abuse is not to remove the temptation from third-parties entirely; make the data on the device (or service) inaccessible unless you have the key to decrypt it, and ensure the only the owner of the data has that key.

    1. Re:A perfect example by Anonymous Coward · · Score: 2, Informative

      It's not data on the phone. It's records of what calls she's made, so that it identifies who she has spoken to. Those have to be stored centrally to generate statistics to identify system problems and to generate billing.

      It's the equivalent of an Apache access.log file, but one that can't be turned off because they do the bill runs off the data.

    2. Re:A perfect example by Solandri · · Score: 1

      This case is a perfect example of why this sort of data should be encrypted on the device and in no way accessible to anyone except the owner.

      That ship has sailed. Like email, SMS texts are sent unencrypted. And it's going to take a herculean effort coordinating thousands of companies servicing billions of people to change it to something more secure. We've been trying to do just that with email for 20+ years and it's gone nowhere.

      I'm not sure what the solution is. This sort of stuff seems to happen all the time - PHP being the most egregious example I can think of (even its authors admit it's just a bunch of hacks tacked on every time someone needed new functionality). Maybe people need to stop coming up with half-assed implementations "just to get it working" thinking they can "fix it up later"?

  13. Re:Over the top by Khyber · · Score: 0

    Turn in your geek card because you're not worth your name.

    "Second, why didn't she protect her data (or remove it) prior to releasing the story."

    Yup, let's see her wipe data stored in a database she doesn't control.

    You're not fit to have UNIX in your name.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  14. anonymous cell phones by NostalgiaForInfinity · · Score: 4, Interesting

    You can never really protect against these kinds of invasions of privacy, in particular by telecoms or governments.

    Professional journalists should be using "burner phones" for this. That's their job as professionals, even if some countries (I guess Australia among them) make this difficult.

    People should also protest against legal requirements for registering their phones with the government.

    1. Re:anonymous cell phones by SJ2000 · · Score: 3, Informative

      There are no such thing as "burner phones" in Australia, you must have 100 points of ID in order to activate a mobile phone service.

    2. Re:anonymous cell phones by NostalgiaForInfinity · · Score: 4, Insightful

      There are no such thing as "burner phones" in Australia,

      Sure there are: you can violate the law to get them (consider it an act of civil disobedience). You can get a foreign SIM card (there are plenty of companies that offer those, and quite cheaply too). Journalists can set a phone swapping club. Or you can use smart phones and use text messages only to initiate communications on privacy-conscious chat services.

    3. Re:anonymous cell phones by clonehappy · · Score: 1

      Or, I don't know, just not use Vodafone?

      I know if I was a journalist doing some "juicy expose" on, for example, Verizon or AT&T here in the good old US-of-A, I'd surely be using my T-Mobile line for any communication with a whistleblower. Even if that T-Mobile line was 100% traceable back to me, it would remove the ability for the company I'm exposing to see who I was talking to, at least directly.

      Using a company's own services to communicate with internal employees who are leaking sensitive data is just plain dumb regardless of whether there are legal anonymous forms of communication available or not.

    4. Re:anonymous cell phones by Anonymous Coward · · Score: 1

      You're doing your juicy expose on Verizon.

      Someone you call while doing your juicy expose on Verizon happens to use Verizon.

      How did you stop your T-Mobile phone number from showing up in the Verizon call data?

    5. Re:anonymous cell phones by Anonymous Coward · · Score: 0

      VOIP

  15. Re:Welcome to Libertarian Utopia by TapeCutter · · Score: 1

    You have no rights at all when it comes to business.

    Keep believing that and it will come true.

    --
    And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
  16. Re:Over the top by SeaFox · · Score: 0

    If you're writing a story about problems with Vodaphone data security, even ignoring possible retaliation from the company, why would you want to store sensitive data with the very company you're writing about? Seems a bit "duh" to me.

    You know what can't get remotely read? Notes in a paper notebook.

  17. Re:Over the top by Anonymous Coward · · Score: 0

    The call and message metadata are stored in there to record what calls you made / messages you sent (CDRs - Call Detail Records). They're used to debug why calls have failed, generate statistics so they can detect problems, and to generate the billing for you. And they need to be stored for itemised billing, otherwise they can't show you what calls you made that justify the bill they're charging you.

    It's absolutely essential data in order to run a phone business. The end-user is protected from data breaches because the law very strictly controls who can use that data and for what purposes. It also dictates a maximum length of time the company can store the data for. The use here definitely broke the law, no question.

    They won't have stored recordings of the content, just the communication between users. In this case the employee was probably trying to find who she was talking to to, and out of those people who worked for Vodafone or a partner.

  18. Re:Victims by Adriax · · Score: 1

    "It" is one of my trigger words. Check your privilege.
    Nii.

    --
    I don't suffer from insanity, I enjoy every minute of it!
  19. It is their problem to curtail "rogue employees" by Anonymous Coward · · Score: 0

    It is possible to prevent such breaches:
      - force employees yearly through silly training slides about what is and isn't appropriate.
      - make employees sign solemn disclosures before giving them access to data
      - connect every access to user data to a ticket describing what the data will be used for
      - make logs of logs access. The log should be of the query, copying bulk data out of the database that logs queries should be forbidden, and queries that do so should cause enforcement.
      - any programs that access particularly juicy data like logs of phone calls or social graphs (as opposed to customer name and address, billing status, etc.) should be blocked from running by some core piece of infrastructure unless their source is checked into revision control, and the binary built from it is signed by some trusted build robot (f-droid style).

    Other companies with mountains of personal data do (almost) all these things. Companies running that tight a ship probably pat ourselves on the back for it, but incidents like this show it needs to become the minimum standard.

    When Facebook started, they were notorious because any employee could bypass all ACLs, but when they got big they (I have heard) shut that shit down and got serious. This bulletted infrastructure would come from the parent company Vodafone, which is huge, while Vodafone Australia is I think the trailing carrier in that market, but any telco is huge in revenue and subscriber count compared to early Facebook (when they were turning on one university at a time and running on VC), and furthermore telcos are juicy targets for exfiltration and rogue analysis. They need to do this stuff. It's concerning they don't seem to have desire at corporate level to improve, while ad-supported web companies do. If she had used GVoice dialer to make these calls, vodafone would not have the metadata, justsayin'.

    so maybe you should get an ad-supported phone if you value your privacy. :p

  20. Re:Over the top by gmack · · Score: 1

    They searched her call history genius. How is she going to make phone calls using a paper notebook?

  21. You laugh but Costas Tsalikidis was found hanged by Anonymous Coward · · Score: 5, Insightful

    Funny, except for a few things:

    Vodafone have been revealed to be the major company helping GCHQ spy on its own people and allies.
    Vodafone was the mobile network that spied on Greece ministers during the Olympics.
    Costas Tsalikidis, their engineer was found dead (hanged) when the bugging was discovered.

    http://spectrum.ieee.org/telecom/security/the-athens-affair

    So yeh ha ha ha +5 funny.

  22. Re:Over the top by budgenator · · Score: 1

    This is a very good argument for not using text messaging and sending everything even remotely interesting via encrypted email, and having everything sent via Email encrypted; if only interesting emails are encrypted, then bad actors will know which emails are of interest.

    --
    Apocalypse Cancelled, Sorry, No Ticket Refunds
  23. Re:Over the top by unixcorn · · Score: 1

    She could choose another wireless company?

  24. Re:Welcome to Libertarian Utopia by Jawnn · · Score: 1

    You have no rights at all when it comes to business.

    Keep believing that and it will come true.

    It's not a matter of belief. It is a readily observable fact.

  25. Re:Over the top by Hotawa+Hawk-eye · · Score: 1

    Who said she used her Vodafone account to contact her source? The article says that the company searched, not that they found the information they sought.

  26. Mission Possible by Roger+W+Moore · · Score: 1

    Like one of the posts says above: "If any member of your team is caught or killed, Vodafone will disavow all knowledge of your actions."

  27. CPNI access for personal gain = termination by Anonymous Coward · · Score: 0

    CPNI access for personal gain = termination

    Fired or not? If not, when?

  28. Yuck Siebel by Anonymous Coward · · Score: 0

    You know else uses Siebel? AT&T

    You know what else AT&T Wireless (Pre-cingular) did? Trainees had full access to the AXYS and SIEBEL system and were fired for looking up celebrities and politicians information.

    And you how you prevent that? ... 1) Don't outsource. This is way too much information to hand to third party, even inside the US. 2) Flag accounts (eg Celebrities, politicians, CEO's, etc) that are searched and notifiy HR that a CSR is looking up information that they may have no reason to.

    Like in the case of Vodaphone, I reasonably suspect they have the same issues as AT&T, the average CSR has no reason to question information presented by a caller, and is easily socially engineered into looking up information they shouldn't be doing. If someone calls in, and says they are an FBI agent, hands them a phone number and can verify the information on the account, then the CSR has no reason to deny them access.

    And this happens.

    There are people who call in and want you to recite off every call made over the last month.

  29. Re:Over the top by joeblog · · Score: 1

    She could choose another wireless company?

    Note, Vodacom (sorry, I mean its fall guy employee) did it "to try and figure out who her sources were within the company". Vodacom probably assumed the deep throat would be dumb enough to use his company phone, and can track incoming and outgoing calls from its network.

    --
    If it works, it's obsolete
  30. Re:Over the top by Anonymous Coward · · Score: 0

    This is a very good argument for not using text messaging and sending everything even remotely interesting via encrypted email, and having everything sent via Email encrypted; if only interesting emails are encrypted, then bad actors will know which emails are of interest.

    The company don't need to read the emails or texts or listen to the phone calls, they just need the call records to know who was talking to the reporter. They can use simple harassment and victimization to take it from there.

    Posting as A/C due to mod points.

  31. They should investigate all Aussie Telcos by Anonymous Coward · · Score: 0

    They all like to sell customer data contrary to their privacy policies. e.g.: I use a domain-specific email address for every company I deal with on the internet. I once started receiving SPAM for iPhone Sort It! apps [Sort It Apps, LLC] via my Telstra email address. When I approached Telstra, another Australian telco, about it I never received a human response but the SPAM stopped coming through on that address almost immediately.

  32. This is confusing by Anonymous Coward · · Score: 0

    I'm confused. The article states that Vodafone denies any “improper behaviour” even though internal Emails show they knew that the breach took place, knew it was against the law, and deliberately lied to authorities to keep the incident covered up. Is this considered proper behaviour for corporations in Australia? Why has not the "rogue" employee been turned over to the authorities for prosecution? Could it be that management is afraid of what he might say in his own defense?

    I'm sorry, but this just reeks of high level damage control by executives desperate to keep their own asses out of prison for their own actions in this.

  33. Re:Victims by _merlin · · Score: 3, Informative

    Let's call it what it really was: a digital rape.

    In Australia, legally speaking "digital rape" refers to the use of fingers to sexually penetrate someone without consent. Calling this "digital rape" wouldn't fly in court, since it's a legal term with an established meaning.

  34. Re:Over the top by Anonymous Coward · · Score: 0

    Yeah, the data is in the data center - all of ours is. Why don't we control it then?

    Data belonging to you != data about you. Both are written 'your data', but one is possessive, and the other is applicative.

    I could make a note of what colour hat you wore every day. That'd be your data (of you) but it would be mine (because I collected it).