10 January 2011

We take it very seriously

Over the weekend I pointed to reports of unauthorised access and use of Vodafone customer data, with claims that data had been exploited by gangs.

The story continues, with Vodafone chief executive Nigel Dews reported as commenting that he does not believe there is a widespread problem and that "It appears to have been a one-off incident". Customer reassurance aside, it is likely that Vodafone is not in a position to determine whether the problem is a "a one-off" or otherwise.

Mr Dews is reported as stating that -
We take this data security issue very seriously.

It's very important that we uphold the highest standards of data integrity for our customers. ...

I'm not concerned about the brand at the moment, I'm mostly concerned about making sure our customers' records are safe.
That stance is traditional, with similar statements by other organisations over the past two decades after revelation that information has been exposed. A more proactive approach to data protection (thereby upholding "the highest standards of data integrity") is appropriate and is indeed achievable.

In an ABC report today Vodafone is described as indicating that a dealer or employee is probably responsible for sharing a password that allowed personal information to become available on the internet. The reality is that probably numerous dealers and employees, rather than an isolated individual, have been sharing. The statement does not lessen the gravity of the situation; it merely indicates that Vodafone has experienced social engineering rather than falling victim to the master hacker - black tshirt, inked, bad attitude, accommodation in Vladivostok courtesy of the cyber mafiya - featured in popular tales about data loss.

Vodafone is reportedly "resetting passwords every day to make sure the system is secure". we might ask whether that is effective and why such a regime wasn't in place prior to 2011. Are Vodafone's competitors (inc the plethora of Telstra, Optus and Virgin dealers) using the same arrangements?

Dews is reported as stating that Vodafone will refer anyone caught to the Australian Federal Police, explaining that "It could be someone who works in our stores or one of our dealers. If that's the case, we will come down with the full force of the law."

A sceptic might wonder about the statement that -
People know and understand and are well trained in our procedures and protocols and it's very important they aren't breached.
Without excessive disrespect for Mr Dews, it would appear that the procedures, training and understanding are inadequate if there has been large-scale (especially recurrent) exposure of data and if Vodafone is not in a position to readily determine what is going on.

Mr Dews is reported as saying "I do want to reassure our customers that we are investigating quickly and thoroughly". Quite so. He went on to promise that "If there are things that we can do to make our data safer, we will implement those with the highest priority". Such reassurance would be strengthened if action had been taken in the past, rather than on a reactive basis.