Tuesday, January 11, 2011

Vodafone Privacy Scandal

Happy New Year to everyone.

Interesting that I get to kick off my first post of 2011 on what could be considered the largest privacy breach in Australian history.

In away, I think we need to be greatful that the Vodafone privacy scandal has drawn so much attention. We (Australia) never had our Heartland or TJX or anything like that. Our complacency and lack of strict privacy regulation means that we don't get to see the notifications of privacy breaches. Some companies, such as Telstra have "voluntary notification policy" concerning privacy breaches but perhaps I'm one of those skeptics who wonder just how much they would "volunteer" if they were put to the test.

Potentially, this incident has the chance to bring about change on the legal landscape. In reality, it is no doubt being lost in the deluge (no pun intended) of news concerning the Queensland floods.

There is a lot of blogging going on about the basic security controls that Vodafone could have/should have implemented but didn't. I'd love to wag my finger at them and say how naughty they are but the reality is that this is FAR MORE COMMON than most people are aware of and what security professionals can tell.

The best thing security conscious folk can recommend is that if consumers give a shred about their personal information in any respect (including SMS messages and call usage btw) then I suggest you push anyone and everyone you know who is using Vodafone to another carrier. I am already telling immediate friends and family who use them to make the switch. I urge you to do the same.

The only thing companies understand  are dollars and cents. So make the message strong and clear - tell these businesses we will not accept poor security. Personal information does have a value and its high time companies recognise the cost of failing to protect it.

- J.


Anonymous said...

Seems that Vodafone has got more things wrong than only privacy:

- One day I stopped receiving Vodafone mobile phone bills. Didn't notice it as I was quite busy until one day I got an SMS from Vodafone telling me that I should call them to organise the payment.

- I call them and get to talk to someone (presumably in India) who informs me that I have been notified and I have given consent to email billing. I am 100% certain I have never talked email billing with anyone. She also tells me that I should have received an email bill (which I never have even if the email address in their database appears correct). Meanwhile, she keeps insisting that there is absolutely nothing wrong with their system and that I have definitely received the email.

- Of course, I won't pay anything without a bill so I won't just give her my credit card details to pay an arbitrary sum.

- When I ask her to resend the bill(s) she says she can't use my email address because it's not validated (therefore, I also never have received the bills which I have absolutely, definitely received according to her) and I have to respond to the validation email (which I also never received) before I can receive my bills.

- After a while of arguing, she agrees to send me a new validation email that I should receive in 48 hours (that's a long time for an email!) which I of course never receive (it's not in the spam folder, either).

- In the Vodafone shop, I get a printout of my bill and I can pay it on the spot. The shop attendant - a very helpful and nice person, by the way - also disables the email billing option so now it's exciting to see whether I will again start receiving paper bills.

K9Pup said...

As you have mentioned. Vodaphones' indiscretion is merely the tip of the iceberg when it comes to privacy/security infractions.
Regulatory compliance is still in its infancy in Australia and even when adopted by large organisations it still suffers from in-house sanitation where minor infractions could impact company shareholder value.

Does anyone recall the last public release of credit card fraud reports from their local bank?
How about a certain Aussie telco in their haste to offshore technical support releasing confidential details and records of a certain state government in Australia. No doubt these and many more instances of a similar nature are hosed in-house by Senior Management.

Long live Wiki Leaks!