The Australian Privacy Commissioner today said although VHA (which owns the Vodafone brand) didn’t make customers information publicly available on the internet during its recent security scandal, it was nontheless in breach of its obligations under the Privacy Act.

In January 2011, VHA started an investigation over an alleged breach of its security, which had reportedly seen customers’ personal information – including phone calls details – made available to individuals who somehow had obtained password access to the telco’s internal database for its Vodafone brand.

A month later, the Australian Privacy Commissioner Timothy Pilgrim today released the findings of his investigation, stating he didn’t find evidence that Vodafone customers’ personal information was available on publicly accessible websites, but he discovered the company’s security measures were inappropriate.

“… in my view, Vodafone did not have appropriate security measures in place to protect customer’s personal information at the time,” he said. “I was particularly concerned by Vodafone’s use of shared logins and passwords for staff and the broad range of detailed personal information available to them”.

VHA relies on the Oracle-owned Siebel customer relationship management system, which holds identity information collected from customers to comply with the 100 point ID verification checks. The documents new customers can provide to achieve the 100 point are, for example, passports and driving licences, with the relative expiring dates. The Commissioner’s report stated identity theft could cause significant harm if a security breach occurred, saying that store login IDs rather than individual IDs enhanced the data security risk.

“While Vodafone had a range of security safeguards in place to protect personal information on its Siebel system at the time of the incident, the use of store logins and the wide availability of full identity information via Siebel caused an inherent data security risk,” it is stated in the report.

Pilgrim said that, as a result of the investigations, VHA would issue individual login IDs and passwords to all appropriate staff, including employees in retail stores. He concluded he was pleased Vodafone had acted promptly to review and improve its IT security.

This morning VHA issued an official comment on the Commissioner’s findings. In a press release, the company said it had strengthened its data security, with tighter login identification and authentication processes, more frequent password resets and less approved access points for stores and dealers.

Vodafone Hutchinson Australia CEO, Nigel Dews, said the incident highlighted there were areas that needed improvement and that the company acted quickly to solve the problem. “We responded quickly, took action with those employees involved who had shared passwords, and brought forward the implementation of a number of new security measures to better protect all customers’ information,” he said.

The current Privacy Act does not allow for sanctions to be imposed after an investigation initiated by the Privacy Commissioner. However, Pilgrim said this case should remind all businesses using customer management systems to make sure their customers’ information are safely stored.

“To comply with the Privacy Act and retain the trust and loyalty of their customers, I urge businesses to review their data security practices to prevent the likelihood of a privacy breach occurring which could have the potential to lead to identity theft or fraud,” Pilgrim said.

Image credit: Vodafone