Vodafone Hutchison Australia: Own motion investigation report
The Australian Privacy Commissioner, Timothy Pilgrim opened an own motion investigation under section 40(2) of the Privacy Act 1988 (Cth) (the Privacy Act) in response to media reports that the personal information of Vodafone Hutchison Australia (Vodafone) customers had been compromised.
Media reports of 9 and 10 January 2011 claimed that billing and call records for up to four million customers were available on a publicly accessible website protected only by passwords that change every three months. These reports raised concerns that Vodafone’s practices were inconsistent with the National Privacy Principles (NPPs), specifically NPP 2.1 and NPP 4.1.
The Privacy Commissioner commenced his investigation on 10 January 2011.
In response to the investigation, Vodafone:
- advised the Privacy Commissioner it had implemented emergency technical measures and commenced an internal investigation on becoming aware of the allegation.
- advised that customer information was not, and had not, been publicly available on the internet or the Vodafone website.
- provided regular updates to the Privacy Commissioner about its internal investigation
- met with senior staff from the Office of the Australian Information Commissioner (OAIC) to discuss the incident and review Vodafone’s systems including their customer management system, Siebel. This included a detailed demonstration of Siebel to illustrate how users access the system and what customer information could be accessed.
Vodafone advised that as a result of its investigation, it found that the login of a VHA owned store was used to show an individual what information the Siebel system held about them. In doing so, it was demonstrated how a user with a current login ID and password gained access to the customer information stored in Siebel.
Further, contrary to media reports, Vodafone’s internal investigation confirmed that no login IDs, passwords or customer data were ever available on the internet or on the Vodafone website. The Privacy Commissioner can find no evidence that this information was available on the internet or Vodafone’s website. However, the investigation did show that a small number of staff may have breached Vodafone’s internal policies relating to the appropriate use of login IDs and passwords.
At the time of the incident, Vodafone advised it had a range of data security measures in place to protect the personal information held in their Siebel system; including access controls, network protection, system monitoring and policies and procedures about customer confidentiality and privacy.
In particular, the following security measures were in place to protect the personal information within the Siebel customer management system:
- Authorised users, including employees in exclusive and non-exclusive Vodafone dealerships, are granted access to the Siebel system through a secure web portal and via a secure login ID and password.
- Retail stores and dealerships were issued with a unique store login ID which employees used in conjunction with the store password to access the Siebel system.
- Authorised customer care and head office Vodafone staff access the Siebel system via individual login IDs.
- Each user password was changed every 60 days as a default (with passwords reset more frequently as required).
- Vodafone’s Siebel system has audit trails that record the date and time that an account is accessed, and the login ID used. Exception reports on detected anomalies are produced daily and weekly.
- Siebel has a tiered access system, as well as IT admin access.
Tier 3 Access provides a basic level of access to Siebel. For example, users with Tier 3 access do not have access to billing or call history records. Also, while authorised users can view identity document details, for example in the case of a passport, the passport number and expiry date, they cannot view a copy of the document itself.
- Tier 1 Access provides access to more detailed customer information for authorised users, for example, billing and call records.
Vodafone also has policies, procedures, employee agreements and training material that set out the privacy and confidentiality obligations staff and authorised users have regarding customer information.
NPP 2.1 provides that organisations must only use or disclose personal information for the primary purpose for which it was collected, unless an exception under NPP 2.1 applies.
In this case it was reported that the personal information of four million Vodafone customers including their billing and call records, were uploaded onto a publicly accessible website.
However, as a result of the internal Vodafone investigation Vodafone found that the login of a VHA owned store was used to show an individual what information the Siebel system held about them as a way of demonstrating the type of information the system holds about its customers. Information gathered during the Privacy Commissioner’s investigation indicates that this demonstration was done with the consent of the individual.
The Privacy Commissioner’s investigation found no evidence that any Vodafone customer information was publicly available on the internet or on the Vodafone website. Nor was the customer information of any third parties disclosed to the individual.
In respect of NPP 2, an organisation will not be disclosing information, where they are giving an individual access to information the organisation holds about them.
Taking into consideration all the information available to the Privacy Commissioner, in his view, the allegation that personal information was disclosed contrary to NPP2.1 is unsubstantiated.
Under NPP 4.1, Vodafone must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. The OAIC will look at the overall security safeguards in place within an organisation when assessing whether it has taken reasonable steps to comply with NPP 4.1.
Generally, organisations will need to have a range of security safeguards in place to protect the information it holds. Such safeguards could include:
- physical security measures that, for example, only allow authorised users to enter the premises and have secure storage and destruction facilities in place
- computer and network security measures
- communication security, for example, that protects emails from unauthorised intrusion and interception, and
- security protocols that include policies and procedures that regulate how staff and others with access to personal information will access and handle that information.
What are reasonable steps to secure personal information will depend on the organisation’s particular circumstances. Organisations need to consider the structure, activities and information handling practices of its business. For example, the size of the organisation, how the organisation handles the personal information it holds and the type of information it holds will be relevant factors.
In deciding what security safeguards are reasonable to comply with their obligations under NPP 4.1, organisations should consider a range of measures including:
- taking steps to identify security risks to personal information held by the organisations
- developing policies and procedures that reduce identified risks, and
- having appropriate IT security settings governing system access, and monitoring and measuring performance against relevant Australian and International standards. One such relevant standard is AS/NZS ISO /IEC 27002:2006 ’Information technology - Security techniques - Code of practice for information security management’. This standard contains advice about information security management protocols that organisations should take into account when designing systems including user access controls and system monitoring.
Whether the steps taken by Vodafone to protect personal information are reasonable in the circumstances is a subjective test based on the particular risks within its business. In this regard, it is noted that Vodafone’s business model includes licensed dealerships which can carry underlying data security risks and, consequently, such risks may warrant additional security safeguards being taken. For example, appropriate authentication of remote users will be an important network security measure. Further, while these dealerships are subject to contracts that include customer confidentiality obligations, the use of store loginIDs, rather than individual loginIDs, also adds to the underlying data security risk.
The use of shared loginIDs reduces the effectiveness of audit trails to assist in investigations and access control monitoring, which are important steps for organisations in protecting personal information. In practical terms, the use of shared logins means that anomalies may not be detected and if they are, they may not be able to be effectively investigated as the actions are not linked to an individual authorised user. The current investigation illustrates the impact that shared logins have in terms of providing an effective audit trail. Similarly, media reports about dealership employees ‘Siebel farming’ as part of customer retention activities illustrates the reduction in the effectiveness of audit trails where shared loginIDs are used.
Vodafone’s business functions require it to collect identity information from customers to comply with obligations to complete 100 point ID verification checks. This information is stored on Siebel and is available to all authorised users. This identity information includes, for example in the case of passports, the document number and expiry date. Identity theft can cause significant harm to individuals if a security breach occurs. Thus, while Vodafone staff and employees receive privacy training and their employment contracts include customer confidentiality requirements, having identity document information available to all staff and dealership employees raises additional privacy risks.
While Vodafone had a range of security safeguards in place to protect the personal information on its Siebel system at the time of the incident, the use of store logins and the wide availability of full identity information via Siebel caused an inherent data security risk in terms of how personal information was protected by Vodafone.
For this reason, in the Privacy Commissioner’s view, Vodafone had not taken reasonable steps to protect the personal information it held at the time of the incident and therefore it did not meet its obligations under NPP 4.1.
Steps taken to resolve the matter
Vodafone was initially advised about the incident on the weekend of 8 and 9 January. Until the matter could be fully investigated and appropriate action taken, it disabled the Siebel accounts for all retail stores and dealers. This meant all Vodafone retail stores and dealer were required to contact Vodafone’s helpdesk on Sunday 9 January 2011 to be re-identified before a new password was issued to enable access to Siebel. In addition, Vodafone:
- commenced an internal investigation into the alleged incident
- launched an internal review of its IT security and customer information protection controls. As part of the review Vodafone is analysing which staff are required to have Tier 1 access
- sent a bulletin to Vodafone retail store and dealers confirming the true nature of the incident and reminding them about their customer confidentiality and user access obligations, particularly that any unauthorised access to Vodafone’s secure web portal or sharing of user names and passwords constitutes a breach of employment conditions and is potentially a criminal offence
- issued a public statement reassuring customers that their information was not publically available on the internet
- established a “Privacy Hotline” which enabled concerned customers to contact Vodafone regarding the issues in the media. Customers could also request a separate investigation regarding their personal information.
- imposed a requirement on all retail stores and dealers to reset their passwords on a daily basis from Monday to Friday until individual login IDs were implemented
- Vodafone disabled any Siebel account that had not been used in the previous six weeks.
Further, Vodafone has agreed it will undertake to:
- make a number of changes to its security systems, the details of which have been provided to the Privacy Commissioner but for confidentiality and security reasons are not expanded on here
- as part of its IT security review, reassess which users require Tier 1 access, whether to create an additional access Tier and whether identity document information can be masked in Siebel.
- issue individual login IDs and passwords to all appropriate staff, commencing on 5 February 2011. Individual login IDs for retail stores and dealers have now been implemented.
While the information available to the Privacy Commissioner showed that the reported incident was not a disclosure in breach of NPP 2.1, he considers that, at the time of the incident, Vodafone did not have an adequate level of security in place to protect the personal information it held in its Siebel system. For that reason, Vodafone did not meet its NPP 4.1 obligations.
The Privacy Commissioner acknowledges that on becoming aware of the alleged disclosures Vodafone acted immediately to restrict access to personal information, commence an internal investigation the incident and review its data security practices. These actions were a positive step to preventing any possible unauthorised access to the personal information held by Vodafone until such time as the allegations could be investigated.
By way of reaching a resolution to this matter, the Privacy Commissioner welcomes Vodafone’s undertaking to improve its data security measures and requests that Vodafone report back to him about the outcome of its IT security review and progress of its implementation program.
 Under s40(2) of the Privacy Act, the Commissioner may investigate an act or practice if:
- The act or practice may be an interference with the privacy of an individual, and
- The Commissioner thinks it desirable that the act or practice be investigated.
 Sydney Morning Herald 9 January 2011 — Mobile security outrage: private details accessible on net
 NPP 2.1 sets out the general rule that organisations must only use or disclose personal information for the primary purpose for which it was collected, unless an exception under NPP 2.1 applies.
 NPP 4.1 states that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
 It is understood that the term ‘Siebel farming’ involved dealership employees reviewing customer records in Siebel for current business customers who were nearing the end of their contract. These records created a customer retention list for the dealership employees to follow up.