16 February 2011

Vodafone investigation

The Australian Privacy Commissioner has released his findings [PDF] following investigation into media reports that claimed billing and call records for up to four million Vodafone customers were available on a publically accessible website.

The Commissioner's report resembles the very frightful experience of being flogged with a very limp lettuce leaf and a jaundiced observer such as myself might doubt that Vodafone's executives are quivering sleepless in their beds with chagrin and horror at the findings.

The Commissioner indicates that his "investigation looked at Vodafone's compliance with the National Privacy Principles". Sound the trumpets -
In the course of my investigation I did not find any evidence that substantiated the claim that Vodafone customers' personal information was available on a publically accessible website. However, in my view, Vodafone did not have appropriate security measures in place to protect customer's personal information at the time. Consequently Vodafone was in breach of their obligations under the Privacy Act. I was particularly concerned by Vodafone's use of shared logins and passwords for staff and the broad range of detailed personal information available to them.
The absence of "appropriate security measures" and indications that staff in the Vodafone dealer network have been sharing access and - it seems - proving access/information to third parties does, I suggest, pose real concerns ... concerns that should and indeed can be addressed by the Commissioner, irrespective of whether a list of credit cards or other data has been parked on the web.

In response to the problem the Commissioner notes that -
As part of an undertaking given to the Privacy Commissioner, Vodafone agreed to review its IT security, and all appropriate staff including employees in retail stores and dealerships will be issued with individual login IDs and passwords.
All is well, it seems, as -
I am pleased that on being made aware of the allegations Vodafone acted promptly to put in additional security measures to limit access to the personal information it holds. While I welcome the steps that were taken I have also asked Vodafone to report back to me on the progress of the review and implementation of increased security measures
A more meaningful review would ask whether the "additional security measures" were effective and why, oh why, Vodafone's practice had been so inept that a problem had required investigation by the Commissioner.

I am unimpressed by the report's indication that -
In response to the investigation, Vodafone:

• advised the Privacy Commissioner it had implemented emergency technical measures and commenced an internal investigation on becoming aware of the allegation,

• advised that customer information was not, and had not, been publicly available on the internet or the Vodafone website,

• provided regular updates to the Privacy Commissioner about its internal investigation
In the tradition of Yes, Minister the Commissioner stated that "this case should serve as a reminder to all businesses using customer management systems to ensure that they have robust privacy protections built in". We might ask whether more than flailing with lettuce leaves and yet another reminder is necessary. Should there be meaningful penalties for bad practice? Should the Commissioner conduct an 'own motion' investigation of Vodafone's competitors (and, if unable to do so because of resource constraints, publicly indicate that bureaucratic incapacity has serious implications)?

The Commissioner stated that -
All businesses must take the privacy of their customers seriously. Systems should be up to date and secure and staff should only have access to the information that is necessary for their work. To comply with the Privacy Act and retain the trust and loyalty of their customers, I urge businesses to review their data security practices to prevent the likelihood of a privacy breach occurring which could have the potential to lead to identity theft or fraud.
That exhortation would be more meaningful if the Commissioner had chosen to move beyond the specific failure by Vodafone - and a narrow construction of media claims - and explore practice elsewhere in the telecommunications sector. Are Vodafone's competitors using the same model?

The report indicates that Vodafone customer data, contrary to media claims, was not placed on the web. That will reassure some observers.

The report however notes that -
Whether the steps taken by Vodafone to protect personal information are reasonable in the circumstances is a subjective test based on the particular risks within its business. In this regard, it is noted that Vodafone's business model includes licensed dealerships which can carry underlying data security risks and, consequently, such risks may warrant additional security safeguards being taken. For example, appropriate authentication of remote users will be an important network security measure. Further, while these dealerships are subject to contracts that include customer confidentiality obligations, the use of store loginIDs, rather than individual loginIDs, also adds to the underlying data security risk.

The use of shared loginIDs reduces the effectiveness of audit trails to assist in investigations and access control monitoring, which are important steps for organisations in protecting personal information. In practical terms, the use of shared logins means that anomalies may not be detected and if they are, they may not be able to be effectively investigated as the actions are not linked to an individual authorised user. The current investigation illustrates the impact that shared logins have in terms of providing an effective audit trail. Similarly, media reports about dealership employees 'Siebel farming' as part of customer retention activities illustrates the reduction in the effectiveness of audit trails where shared loginIDs are used.
But wait, as they say, there is more -
Vodafone's business functions require it to collect identity information from customers to comply with obligations to complete 100 point ID verification checks. This information is stored on Siebel and is available to all authorised users. This identity information includes, for example in the case of passports, the document number and expiry date. Identity theft can cause significant harm to individuals if a security breach occurs. Thus, while Vodafone staff and employees receive privacy training and their employment contracts include customer confidentiality requirements, having identity document information available to all staff and dealership employees raises additional privacy risks.

While Vodafone had a range of security safeguards in place to protect the personal information on its Siebel system at the time of the incident, the use of store logins and the wide availability of full identity information via Siebel caused an inherent data security risk in terms of how personal information was protected by Vodafone.
In an article published the day this post went online the SMH stated that -
But [the SMH] understands that information was in fact available to be accessed from the public internet – rather than an internal intranet – but that it required a username and password to gain access to customer details. It was that username and password, which this website understands was shared among authorised users, that allowed for the unauthorised access of a customers' personal information.

[Our] understanding was put to the Privacy Commissioner's spokeswoman, who confirmed that this was in fact the case. She said that the main point of the Privacy Commissioner's comments that details weren't available on the public internet was to ensure customers did not think that their details were easily accessible by anyone using the internet. [Random users, no. People who work in the dealer network or who had been provided with info/access by the dealers, yes]

An unauthorised user could access Vodafone's web portal but needed login credentials to see customer details.

In January, [we] published a report, which claimed that the personal details of millions of Vodafone customers - including their names, home addresses, driver's licence numbers and credit card details, had been available online.

A further report, published in late January, revealed Vodafone dealer CommsDirect had been misusing customer information and forwarding call records on to people outside the company. The revelations, which led to CommsDirect shutting down, also formed part of the Privacy Commissioner's investigation.
The Commissioner notes that -
The Privacy Act does not currently allow for sanctions to be imposed following an investigation initiated by the Privacy Commissioner. The Government has foreshadowed its support for recommendations made by the Australian Law Reform Commission to strengthen the enforcement regime available under the Privacy Act as part of the Government's program of privacy law reform.
Time I think for the Privacy Commissioner to -
• engage with industry in active development of a realistic, rather than excessively permissive, national standard for data protection in dealer environments

• work with industry to proactively prevent the sort of problems apparent at Vodafone (ie management indifference, poor prioritisation in IT investment, inadequate supervision of dealers and of the junior staff employed by dealers) rather than responding once the data goes walkies

• look at the vetting and supervision of employees within the dealer network (ie Vodafone's agents), given indications that there is substantial churn and low supervision of those personnel.