Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vodafone Australia Employee Searched Journalist's Phone Records To Find Source

Posted by Soulskill on from the chilling-effects dept.

An anonymous reader writes: In 2011, a journalist named Natalie O'Brien published a series of stories on security problems in Vodafone's Siebel data system. "Customers' home addresses, driver's licenses and credit card details were all available online, O'Brien wrote, and criminal groups were paying for customers' private information." Now, Vodafone Australia has admitted that an employee went through her phone and text records to try and figure out who her sources were within the company. O'Brien wrote, "The invasion of privacy is devastating. It plays with your mind. What was in those texts? Who were they to? What did they see? What did they do with the information?" Despite the admission, Vodafone has denied that it engaged in improper behavior (PDF). The company says it found no evidence the employee was directed to do so by management. That said, leaked emails show management became aware of the privacy breach and its potential repercussions as early as 2012.

16 of 65 comments (clear)

  1. Re:"Just a totally rogue employee, not us" by wonkey_monkey · · Score: 5, Funny

    If any member of your team is caught or killed, Vodafone will disavow all knowledge of your actions.

    This tape will self destruct in five minutes, mate.

    --
    systemd is Roko's Basilisk.
  2. Way to take the initiative by DumbSwede · · Score: 5, Insightful

    So... some guy in the data-center just take it upon himself to go look up the info on some journalist, ‘cause you know that’s what IT guys do all day long, look up stuff on people with no direction.

    The company has very strict
    controls and processes around the privacy of customer information, and has appointed a dedicated privacy officer.

    So glad they have this in place, seems to be doing a bang up job. I can totally see how some low level employee would totally disregard this to dig up dirt on a Journalist and her accomplices. Because, you know, there’s so much in it for the low level employee.

    --
    Letter To Iran
  3. Re:"Just a totally rogue employee, not us" by U2xhc2hkb3QgU3Vja3M · · Score: 2

    Canadian version:

    If any member of your team is caught or killed, Bell Canada will disavow all knowledge of your actions.

    This tape will self destruct in five seconds, eh?

  4. Sounds reasonable to me by flopsquad · · Score: 2

    Now, Vodafone Australia has admitted that an employee went through her phone and text records to try and figure out who her sources were within the company. . . . Despite the admission, Vodafone has denied that it engaged in improper behavior (PDF). The company says it found no evidence the employee was directed to do so by management.

    Oh. Well, as long as it was some IT vigilante whose love for Vodafone just got the better of him. Sounds fine to me!

    Probably just some sweet, over-dedicated mook who took the workplace banner too seriously. Definitely not any of the top brass directing this to happen.

    --
    Nothing posted to /. has ever been legal advice, including this.
  5. Not directed by management by U2xhc2hkb3QgU3Vja3M · · Score: 3, Insightful

    The company says it found no evidence the employee was directed to do so by management.

    Alright people, listen up! We have a spy in our ranks. We're not ordering or even asking anyone to search for the spy, but if one of you should happen to stumble into any bit of information about this, please keep in mind that we do offer a huge bonus.

  6. Re:Over the top by Luthair · · Score: 4, Insightful

    Precisely how would she remove records stored in the carriers data centre?

  7. Overzealous/psychotic management by nimbius · · Score: 5, Interesting

    Its not uncommon to have middle management or even upper management that get a little overzealous with the amount of power they wield.

    Working for a hosting company, I once had a manager that was absolutely furious that we hosted a domain that endorsed abortions and facilitated service provider interactivity. my manager didnt have access to the accounts database, but she knew members of her team surely did. She wanted log summaries of people who visited, which is a request that has to go through InfoSec. Once they denied it based on lack of a warrant, she started trolling the team for info during lunch. The fact that we dont obsess over every single site, let alone her problem child, seemed to make her upset. She submitted 3 requests for content review by the abuse department, and finally quit when their manager kept sending the original report back. She hit all of us up for accounts information for the user, and even tried logging in as the tape backup administrator after finding their username in some documentation. She was eventually fired after trying to tie our performance raises for the account information.

    --
    Good people go to bed earlier.
  8. Re:Over the top by Anonymous Coward · · Score: 2, Insightful

    I think she is simply making the most out of the situation for her own gain.

    Step 1: Deny. Deny. Deny.
    Step 2: Blame the victim.

  9. A perfect example by Somebody+Is+Using+My · · Score: 4, Insightful

    This case is a perfect example of why this sort of data should be encrypted on the device and in no way accessible to anyone except the owner. Because if there is a backdoor to this data, whether protected by "procedure" or a escrowed key, it /will/ be abused. If it is not the government abusing this privilege, then it will be by a corporation, or by an individual with a personal grudge, or by criminal elements (or even worse, by marketing departments!). It doesn't matter what sort of "controls" you put on those back-doors, ultimately they will be ignored and abused. The number of people who get "hacked" in this way may be low, but even one is too many.

    This case should be dredged up every time a law-enforcement agency insists that easy access to personal data are a necessity in this digital age. They claim that there are protections in place to prevent this sort of thing; evidence (and common sense) show that this is nonsense. The only way to prevent this sort of abuse is not to remove the temptation from third-parties entirely; make the data on the device (or service) inaccessible unless you have the key to decrypt it, and ensure the only the owner of the data has that key.

    1. Re:A perfect example by Anonymous Coward · · Score: 2, Informative

      It's not data on the phone. It's records of what calls she's made, so that it identifies who she has spoken to. Those have to be stored centrally to generate statistics to identify system problems and to generate billing.

      It's the equivalent of an Apache access.log file, but one that can't be turned off because they do the bill runs off the data.

  10. anonymous cell phones by NostalgiaForInfinity · · Score: 4, Interesting

    You can never really protect against these kinds of invasions of privacy, in particular by telecoms or governments.

    Professional journalists should be using "burner phones" for this. That's their job as professionals, even if some countries (I guess Australia among them) make this difficult.

    People should also protest against legal requirements for registering their phones with the government.

    1. Re:anonymous cell phones by SJ2000 · · Score: 3, Informative

      There are no such thing as "burner phones" in Australia, you must have 100 points of ID in order to activate a mobile phone service.

    2. Re:anonymous cell phones by NostalgiaForInfinity · · Score: 4, Insightful

      There are no such thing as "burner phones" in Australia,

      Sure there are: you can violate the law to get them (consider it an act of civil disobedience). You can get a foreign SIM card (there are plenty of companies that offer those, and quite cheaply too). Journalists can set a phone swapping club. Or you can use smart phones and use text messages only to initiate communications on privacy-conscious chat services.

  11. Re:"Just a totally rogue employee, not us" by Adriax · · Score: 3, Funny

    Atleast the mission impossible agents were given a choice, "Your mission, if you choose to accept it".
    Vodafone's tape starts out as "Your mission, which is a core item of your monthly performance review".

    --
    I don't suffer from insanity, I enjoy every minute of it!
  12. You laugh but Costas Tsalikidis was found hanged by Anonymous Coward · · Score: 5, Insightful

    Funny, except for a few things:

    Vodafone have been revealed to be the major company helping GCHQ spy on its own people and allies.
    Vodafone was the mobile network that spied on Greece ministers during the Olympics.
    Costas Tsalikidis, their engineer was found dead (hanged) when the bugging was discovered.

    http://spectrum.ieee.org/telecom/security/the-athens-affair

    So yeh ha ha ha +5 funny.

  13. Re:Victims by _merlin · · Score: 3, Informative

    Let's call it what it really was: a digital rape.

    In Australia, legally speaking "digital rape" refers to the use of fingers to sexually penetrate someone without consent. Calling this "digital rape" wouldn't fly in court, since it's a legal term with an established meaning.