Vodafone Customer Database Breached 136
beaverdownunder writes "Vodafone has confirmed it believes its secure customer database has been breached by an employee or dealer who has shared the access password, revealing the personal details of millions of customers... According to Fairfax newspapers, 'criminal groups are paying for the private information of some customers including home addresses and credit card details.'"
Access password with no ACLs ? (Score:5, Insightful)
Well this sure sounds like when they need to give somebody access to *some* data, they just give her/him a username/password which then grants her/him access to the whole database.
ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.
Kind of like: You are the new guy who is managing our blog ? Here is the root password on all our systems, thanks to yp, they are the same on all machines. Have fun in your new job.
Re: (Score:3, Insightful)
The bigger problem appears to be that they don't even seem to use individual logins.
They appear to give stores a single username and password to share (which is probably written on their screens!), and then allow their management system to be accessible from any location.
The best bit is that some of these credentials are even posted in documents on their website if you look hard enough.
*facedesk*
Re:Password Changes (Score:1)
From the Article:
"I'm not concerned about the brand at the moment, I'm mostly concerned about making sure our customers' records are safe."
"And that's why we're resetting those passwords every 24 hours. "
So I guess
Today's password is "password01092011" tomorrow's password is "password01102011" Terminals labels will be changed to password = password + today's date.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.
At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this. Why the HELL would you have any sensitive customer data on an internet-facing machine?
Re:Access password with no ACLs ? (Score:5, Interesting)
ACLs ? group based authorization ? For example, very few people should be allowed to view credit card numbers, a representative should only be allowed to view his own customers data, etc.
At the very least I'd want them to only make customer data available over a secure site on their own WAN-based intranet. I'm a Vodafone customer and I'm really not happy about this. Why the HELL would you have any sensitive customer data on an internet-facing machine?
Because you're a large corporation, therefore the worst that'll happen to you is a small slap-on-the-wrist fine.
How to suddenly tighten up corporate security in one maneuver: pass a law stating that the corporate veil is null and void in the case of egregious security violations like this that even the slightest effort could have prevented, leaving the highest levels of management with their deep pockets open to personal civil suits that are NOT eligible for class-action status or any other group status. One at a time Mr. CEO. Are there thousands of victims? Well, hope you got a lot of time on your hands.
Re: (Score:1)
It doen't even matter if it's a massive painful fine - it all gets passed on to the customer, you betcha the management and shareholders won't suffer when averaged out over the next few years. At the worst one scapegoat will get the sack.
What part of "the corporate veil" being "null and void" is difficult for you to understand? Reading comprehension has reached an all-time low when there are so many wasteful posts like yours.
Re: (Score:1)
Ah, so the CEO and upper management are personally responsible for anything bad that happens?
I know this is not a popular opinion here, but sometimes the "peon" implementing the system actually is lazy and useless. You're advocating making senior management pay for the actions of an employee they probably never met. Unless you think senior management (who aren't IT people, inevitably) should be vetting every single deployment for stuff they don't understand?
Your "solution" is stupider than the problem it'
Re: (Score:2)
"I know this is not a popular opinion here, but sometimes the "peon" implementing the system actually is lazy and useless."
Still his manager's fault for not firing him on the spot.
"You're advocating making senior management pay for the actions of an employee they probably never met."
Senior management advocate they should get bonuses for the actions of all those employees they probably never meet so it's just tit-for-tat.
Re: (Score:2)
Still his manager's fault for not firing him on the spot.
No, not really. Since you can only fire someone AFTER they've done something wrong. Under AC's dumb plan, they're already liable for millions in fines, despite the potential that they actually want to fix it.
Senior management advocate they should get bonuses for the actions of all those employees they probably never meet so it's just tit-for-tat.
Well, yes. Don't get me started on management bonuses.
(Also, hey mods: "Flamebait" doesn't fucking mean "I disagree, and wish to censor your opinion")
Re: (Score:2)
"No, not really. Since you can only fire someone AFTER they've done something wrong."
True. But if that someone can do something not simply wrong but utterly wrong it's again a management failure because it means a lack of checks and ballances that they should know better to put them there.
"Under AC's dumb plan, they're already liable for millions in fines"
When things go well they're "liable" for millions in bonuses despite of the fact that the "good" comes from a lot of people they neither directly know no
Re: (Score:1)
What we need is some kind of system where fines to the company are taken directly from the pay packets of the directors.
It might make them actually give a shit about data security and force them to deal with these data breaches.
If they get paid a handsome salary + bonus for the work carried out by those below them, surely they should carry the blame for mistakes made by those below them.
Re: (Score:1)
Hopefully not for long. Change your CC number and close your account (and don't let them charge you any kind of disconnection/early termination fee).
Re: (Score:2)
The most basic call center employee needs access to data of all the customers, since any of them may call. How can you partition the data and at the same time achieve seamless customer experience wherever the customer may contact you?
Re: (Score:2)
Pull up the data on the caller as they call? Call centre staff don't need access to my details unless I'm on the phone to them, or I have a case open that they're still helping with.
Re: (Score:2)
Do what a few providers already do. On calling, the automated system asks for the telephone number of the line you're calling about, then asks for your PIN. It then transfers you to customer services.
There's a big difference between being accessible when needed and accessible at all times.
Re: (Score:2)
A limited subset of data, yes. The call centre employee doesn't need access to billing for example. The billing support people do, but even they probably don't need access to CC details (perhaps some senior staff should, just so that they can deal with calls related to it). Dealer stores most definitely don't need access to that level of detail, and certainly not for every customer (even those they didn't sign up). And all this stuff sure as shit shouldn't be delivered directly over the frigging interne
Re: (Score:2)
The most basic call center employee needs access to data of all the customers, since any of them may call. How can you partition the data and at the same time achieve seamless customer experience wherever the customer may contact you?
Partition the call centre employees according to the least significant digit or digits of the customer's telephone number. Employees A, B and C deal with customers with phone numbers ending in 0, and can only see records of those customers. Employees D, E and F deal with phone numbers ending in 1, and so on.
This is how it was done when I worked in the civil service nearly 20 years ago (well, there it was alphabetically by customer surname, but it's the same principle). That was done for logistical convenien
Re: (Score:2)
That would probably work better, yes. Though you can bet this hack wasn't done by someone looking up the record for phone number 000-0000-0000, then 000-0000-0001, then... Perhaps as well as limiting the number of searches an employee can do, searches should be limited to returning no more than X records, where X is much smaller than the number of records in the database.
Re: (Score:2)
That doesn't work - when I come in person to someone, or someone has picked up my call, they don't know which customer has arrived, and forwarding later to someone else is horribly inefficient and bad service.
Re: (Score:2)
You say: "very few people should be allowed to view credit card numbers".
In fact, for them to be PCI compliant (which I would assume a company the size of Vodaphone must be), no-one should be able to access customer credit card numbers. Its shockingly bad practice if they're even on their database, let alone widely accessible.
Re: (Score:2)
Re: (Score:1)
They are on so that the customer can call in once a month and say "charge the number in my account for last month's bill."
That does not require the CC number to be displayed. The backend system has the number stored (otherwise it could not be retrieved and displayed to the agent), so in the payment entry screen there should be "buttons" for 'charge to stored bank account', 'charge to stored Credit/Debit Card' and 'Enter the card details to be charged'.
Re: (Score:1)
Re: (Score:2)
Valuable goods will be stolen (Score:5, Insightful)
I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.
Re: (Score:3)
Re: (Score:3)
If I drive something worth stealing, nobody is going to go through any effort that involves my number plate or other "personal information". They're going to tow it away in 45 seconds while I'm in the grocery store.
The point is, there is no value in this particular "account number" because minus a few concocted movie-like scenarios, it cannot help anyone get anything. But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change
Re: (Score:3)
But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change.
But if it's too "secure", when the bank screws up (or insiders do stuff) they will deny it and convince the courts it's a valid transaction and your fault.
Re: (Score:2)
But my credit card number can be used by itself, without any other meaningful authentication, to make purchases. This is what needs to change.
To use a credit card online, you need the CC number, the CVV number, date of expiry and an additional password(VbV/Mastercard securecode) -- 3D secure system To use it offline, the signature must match and an id proof is needed for transactions of any significant value, so i dont think the CC leaks are too much of an issue..
Re: (Score:3)
Merchants are not permitted to request ID by their merchant agreement with the credit card companies.
Lots of places ask for it anyway, because they're who's out cash if a charge is successfully disputed. But you are not required to show ID.
Re: (Score:2)
Where does your info come from?
I've worked in banking, and seen merchant agreements that say that for transactions above certain amount, if the merchant doesn't verify ID, then merchant bears the risk - thus checking ID isn't mandatory, but they are allowed to check ID and refuse transactions w/o ID. Maybe that doesn't apply to all types for merchants, but for some (say, jewelry - buying a $1000 gold necklace) Visa/Mastercard definitely allow merchants to request ID.
Re:Valuable goods will be stolen (Score:5, Informative)
On the contrary. ID is not permitted to be required. See right here:
http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html [mastercard.com]
[On an OT note, since when does Slashdot require me to wait for an extraordinarily long period of time when I am just trying to reply with some simple information]
Re: (Score:2)
And yet, some of those "violations" are in fact permitted:
http://www.mastercard.com/us/merchant/support/minmax_trans_amts.html [mastercard.com]
Re: (Score:2)
No matter how many numbers are written on a credit card, they must be considered together as a single authentication factor. If the thief has access to one number physically on the card, he likely has access to all numbers on the card.
The additional password is a good start, but relies on the merchant not being a retard and linking the password with the CC number in a way that can be compromised. Also, as we have seen over and over, however, passwords are not great security tokens because they are either ea
Re: (Score:2)
However your point about weak and remembered or strong and writtendown passwords is very valid
Re: (Score:2)
A signature must match the one that's prominently displayed on the back of the card ready for the thief to copy... That's assuming the merchant actually checks, because usually they don't bother. And if large transactions flag too much attention, just make lots of small transactions instead.
Re: (Score:1)
Re:Valuable goods will be stolen (Score:5, Informative)
Tell that to the people that have had their car number plate cloned for a similar model car, and end up getting speeding tickets and congestion charges for driving in London, despite not doing anything of the sort. And good luck getting the police to believe that's not your car and number plate in the photos.
The problem is not the openess (or not) of people's data. It's that it's trivially abused as personal data is often used as some form of ID, not least by banks, credit agencies, police and shops.
Re: (Score:2)
Re: (Score:1)
Agreed, Ryan.
Re: (Score:1)
Correct me if I'm wrong, but people do steal license plates; that's why there are special security bolts you can buy to attach it. If you mean just the number, how could someone steal the number itself? And if they did, would your car just have no number, even in databases?
Re: (Score:1)
If you mean just the number, how could someone steal the number itself? And if they did, would your car just have no number, even in databases?
They can have new plates printed. Various dealerships and auto equipment shops have machines that make plates. I'm sure a crook could get a hold of one.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
I don't try to hide and lock down my car's license plate number. My car's license plate number is 6NHG617. Nobody cares about it and nobody wants to steal it. It's not valuable. The solution to the "problem" of personal identification theft is not to keep trying to hide and lock down personal information. The solution is to make personal information no longer valuable.
Are you in the UK? I went to Halford's last week, and based on my number plate, the guy at the till found out what kind of car it was, and what kinds of equipment would fit. I don't know what else he had on the screen, but I'd be pretty unhappy if it had all my details such as address, insurance details, etc. Anyway, he explained it was available as a database that firms can purchase. The fact that someone does purchase it suggests it has some value.
Re: (Score:1)
He'd have a system that gives him the VIN, make, model, variant, colour etc. The DVLA have cracked down on people reselling the data though, hence you don't see so many "text the reg number" services anymore. Bang went our chance to resell it in an Android app. Giving out the full VIN is a big no-no too, last 8 chars is ok to confirm it though.
We have a similar system in the company I work for to confirm the vehicle we are underwriting. Ours also gives us the number of owners, transfer dates, whether it's b
Re: (Score:2)
Have a look at http://www.askmid.com/ [askmid.com] and you'll see that you can find out a good amount of information from just a license plate.
Re: (Score:3)
In Sweden, the license plate is enough to find out the name and address of the owner. It's a little bit more difficult now, but a few years ago (10-15 maybe?), a bunch of guys basically made a living out of sitting at the ferry terminals, writing down the license plates of the cars that left for Germany or Danmark, called up the authorities to find out the address of a person who was now obviously not at home and then drove there to empty the place.
Australia only? (Score:2)
Re: (Score:2)
That's something I'd like to know as a UK customer of Vodafone; certainly some of their back end infrastructure is shared across regions as their web-based account management is universally badly designed and subject to frequent and random failures if their various national support forums are anything to go by,
Re: (Score:2)
From the reporting here in Australia, it does appear to be restricted to Australia; Vodafone has come under increasing fire here for poor service, reception and call handling issues, and this just adds a cherry to the pie that is coming for their face.
That said, you'd better hope it's not accepted practice across the international organisation. Vodafone here recently merged with Three (Hutchison) for Australian operations, so it could be either company's policies that were the root cause of this, but both t
Re: (Score:3)
Voda NZ spokesperson states that their systems are unaffected... "We use a completely different security set-up to Australia, which would make it extremely hard for someone to access data..." [techday.co.nz]
However, their official statement on the matter [techday.co.nz] does nothing to show that they were unaffected...
Re: (Score:3)
The only data flow between them would be roaming CDRs and any reporting to VF HQ.
Re: (Score:2)
Re: (Score:2)
Even if it doesn't affect the UK I have added the article to the stack I will hand over if/when my identity is stolen. These days it seems to be basically impossible to prevent your private data leaking because so many companies and organisations need it just for you to live a normal life.
Not PCI compliant (Score:1)
How the heck do they get away with having retrievable credit card details in their db? Once the CC# is in the database it shouldn't be retrievable.
How many places out there don't actually follow this simple rule?
Where I work we were worried that the banks may turn off our credit card processing facilities if we don't get PCI compliant. And that is maybe 1/40 of the customer base.
I am really puzzled - how does Vodafone get away with this in the first place? No audits?
Re: (Score:2)
It's not trivial (or cheap) to liase with multiple billing/CRM vendors and do full PCI audits, then pay for any necessary code changes.
In fact, some systems are better off replaced as it's not worth the investment upgrading legacy software. Doing so can take a good 2-3 years.
Re: (Score:2)
The PCI requirements aren't great, many are short sighted, flawed or just plain wrong...
Also if you're a small company, they will hit you over the head and force you to comply with their requirements, if you're a huge company like vodafone you get cut a lot more slack because they don't want to lose your business.
Most PCI consultants are geared up towards "how can we get through this with the minimum of disruption" rather than "how can we improve security", they comply with the letter of the pci regulations
Re: (Score:2)
I assume by
Once the CC# is in the database it shouldn't be retrievable.
he meant something fairly similar to
stored in encrypted form and restricted access.
Admittedly, those statements aren't identical, but they're close enough for the vast majority of the employees....
Secure customer database? (Score:2)
Re: (Score:1)
It's the mother of all oxymorons
Re:Secure customer database? (Score:4, Funny)
Re: (Score:2)
Everything is as strong as the weakest link - and in case of computer security that weakest link is usually the human factor.
Indeed in this case they talk about shared passwords. The database may be very secure, but when people having access rights share those rights with unauthorised parties well then security is breached. Which doesn't mean the database itself is not secure though.
Make them pay! (Score:1)
We have a situation where the cost of acquiring and possessi
Re: (Score:1)
I hope it sinks them and Philip Green the tax avoiding sunofabitch
http://www.ukuncut.org.uk/targets
Re: (Score:2)
Also if a company leaks information such as card details, make *them* liable for any fraud which occurs as a result...
When a mass fraud happens, it's quite easy to work out that all the stolen cards were used with the same company.
Breached? Or "leaked"? (Score:1)
Neat way of selling your database, then claiming it was stolen...
Why dealers? (Score:2)
Why oh why would Vodaphone give a DEALER the credentials necessary to access " ... the personal details of millions of customers ... "?
Re: (Score:2)
Why oh why would Vodaphone give a DEALER the credentials necessary to access " ... the personal details of millions of customers ... "?
so the next time you enter small dealer he can offer you an upgrade to a more expensive service.
Re: (Score:3)
so the next time you enter small dealer he can offer you an upgrade to a more expensive service.
Or as happened to me: a dealer ''sold me a phone'' -- what he did was to lie and tell vodafone that he had done so and collected his kick-back from vodafone for doing so. The first that I knew about it was many months later when I cancelled my contract of some 5 years and vodafone wanted me to pay them some fee since they thought that I had a new phone and new contract!
I wonder where he got all the details about me from, had the Vodafone database been abused many years ago, so how many times since ?
I eventu
Well at least they notified us so that we can... (Score:2)
OK, everyone...we've been notified...
everybody change their name & move so that the bad guys cannot use this information and we can sit back and laugh at them.
As A Vodafone Customer... (Score:1)
Re: (Score:2)
This does make me a little nervous... Time to change a few passwords methinks.
If TFA is correct, it's your home address and credit card numbers that might need to be changed...
Your passwords are probably OK.
Prepaid SIMs (Score:3)
Yet another reason to use Prepaid SIMs in my phones. My phone company doesn't even know my full name nor phone model, much less my CC number.
Re: (Score:2)
Re: (Score:2)
In some countries, identification of phone number owner is mandatory (e.g., Italy).
That's the case here in Australia. I had to give ID when getting a prepaid SIM with Vodafone. However, I don't use a credit card (don't have one) to "recharge" the balance, so I guess all they could have on me is my home address. And mobile number, of course. So I might get some targeted junk mail and unsolicited phone calls?
Re: (Score:2)
Same for South Africa. It even extends to prepaid. [hellkom.co.za]
The Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA), requires compulsory registration of all SIM cards in use, and came into effect on 1 July 2009.
Existing subscribers will have until December 2010 to register both their prepaid and contract SIM cards.
Re: (Score:2)
Good for you, however if you connect to them they can see your imei and depending on what other services you use from them, i'm pretty sure they have the capability to know a lot of information, the most obvious one being your phone model.
Re:Prepaid SIMs (Score:4, Informative)
Re: (Score:2)
You don't necessarily need to go prepaid to avoid giving a CC number. You just need to use a billing option other than 'automatic credit card deducations'.
I've been a Vodafone AU customer for over a decade and I've always paid via Bpay. Not only is it cheaper (no credit card surcharge), but you don't have to give any personal financial information to them.
Not that that's much comfort: "Gee, instead of leaking my name, address, phone number, drivers licence number, date of birth and credit card number ... th
Re:Prepaid SIMs (Score:4, Informative)
Bollocks, don't you go speaking for NZ. You can just buy a voucher - with cash - and use the code printed on it to top up.
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Nope, prepaid is the norm here, I don't know anyone who has contract for personal phones.
Time to rethink payment methods? (Score:2)
Such breaches are the reason why I will never have a credit card. There ought to be a way to create some kind of simple ACL on payment methods: Similar to how I use a different e-mail alias for every (important) website I sign up for which I can simply change or delete if the database is breached or I receive spam, I should be able to give each company an individual authorisation code for withdrawals from my account that can only be used by that company, maybe through digital signatures, and may be subject
details of millions of customers (Score:1)
Re: (Score:1)
Global or one country only? (Score:2)
Does anybody know if this was a global database or one region only?
cheers.
Re: (Score:1)
Does anybody know if this was a global database or one region only?
cheers.
It was regional, as another posted pointed out Vodafone uses different systems all over the world.
It is bad news certainly but unless the person who built the web interface was an idiot it should have no way to extract all customer data in one go. Either way, Vodafone promised more information and we can be certain that will happen as VF is not really a single company anymore than the EU is a single country. It should be interesting as the others will be very peeved this close to the annual SOx audit and
Should never have been this bad (Score:1)
Vodafone PR keeps repeating -- both in the press and on their website [vodafone.com.au] -- that the information was "not publicly available on the internet" which, although technically true, is disingenuous. What IS being asserted is that the credentials to access the "secure" information were well known.
So much information should never have been made public. As others have remarked, not all the breached information needed to be available online. They also should have had individual log-on's and layered access.
Also, some oth
Stellar reporting (Score:2)
"secure customer database has been breached"
(for extremely small values of "secure.")
Re: (Score:3)
Vodafone Group plc (LSE: VOD, NASDAQ: VOD) is a global telecommunications company headquartered in Newbury, United Kingdom. It is the world's largest mobile telecommunications company measured by revenues and the world's second-largest measured by subscribers (behind China Mobile), with around 332 million proportionate subscribers as of 30 September 2010.[2][3] It operates networks in over 30 countries and has partner networks in over 40 additional countries.[4] It owns 45% of Verizon Wireless, the largest mobile telecommunications company in the United States measured by subscribers.
Re:Let me be the first to say (Score:4, Informative)
Considering that as a vodafone customer you can travel to 30 countries and use a network owned by the same company, the roaming rates are pretty extortionate when you actually try to do so.
Re: (Score:2)
Re: (Score:2)
Seems it would be this. [lmgtfy.com]
Re: (Score:2)
That'd be the largest mobile telecommunications company in the world.
Kinda like saying "WTF's a McDonalds?" :P