Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Privacy Commissioner releases Vodafone findings

The Australian Privacy Commissioner, Timothy Pilgrim, has released his findings following an investigation into media reports claiming billing and call records for up to four million Vodafone customers were available on a publically accessible website.

The investigation looked at Vodafone's compliance with the National Privacy Principles.

"In the course of my investigation I did not find any evidence that substantiated the claim that Vodafone customers' personal information was available on a publically accessible website. However, in my view, Vodafone did not have appropriate security measures in place to protect customer's personal information at the time. Consequently Vodafone was in breach of their obligations under the Privacy Act," Mr Pilgrim said.

"I was particularly concerned by Vodafone's use of shared logins and passwords for staff and the broad range of detailed personal information available to them."

As part of an undertaking given to the Privacy Commissioner, Vodafone agreed to review its IT security, and all appropriate staff including employees in retail stores and dealerships will be issued with individual login IDs and passwords.

"I am pleased that on being made aware of the allegations Vodafone acted promptly to put in additional security measures to limit access to the personal information it holds.  While I welcome the steps that were taken I have also asked Vodafone to report back to me on the progress of the review and implementation of increased security measures," Mr Pilgrim said.

Mr Pilgrim said that this case should serve as a reminder to all businesses using customer management systems to ensure that they have robust privacy protections built in.

"All businesses must take the privacy of their customers seriously. Systems should be up to date and secure and staff should only have access to the information that is necessary for their work.  To comply with the Privacy Act and retain the trust and loyalty of their customers, I urge businesses to review their data security practices to prevent the likelihood of a privacy breach occurring which could have the potential to lead to identity theft or fraud," Mr Pilgrim warned.

The Privacy Act does not currently allow for sanctions to be imposed following an investigation initiated by the Privacy Commissioner. The Government has foreshadowed its support for recommendations made by the Australian Law Reform Commission to strengthen the enforcement regime available under the Privacy Act as part of the Government's program of privacy law reform.

The full investigation report can be found here:

Media contact:     Ms Leila Daniels     0407 663 968

More information about the Office of the Australian Information Commissioner can be found at