Vodafone NZ distances itself from security breach claims

A security lapse led to millions of Vodafone customers' personal information being made available online. Photo / Thinkstock

Vodafone New Zealand is distancing itself from security problems in Australia, saying its New Zealand data is well protected.

Vodafone Australia said yesterday it was investigating an alleged security breach involving millions of its customers' personal details.

Fairfax newspapers reported that Vodafone's customer database is accessible to all its dealers over the internet and that any dealer can look up personal information as well as call and text history.

The company has denied the details are publicly available on the internet.

Vodafone New Zealand spokesperson Matt East said the New Zealand company was not aware of any security breaches involving Vodafone customers here.

"We obviously monitor these things very closely," he said.

The full extent of the Vodafone Australia privacy breach is unknown, but it is possible that thousands of people have logins that can be passed around and used to gain access to the accounts of about four million of its clients.

The mobile phone company has reset all passwords for its web portal, used by employees and dealers.

Details including names, home addresses, driver's licence numbers and credit card details have been available on the web in what has been described as an "unbelievable" lapse in security, Fairfax reported.

Vodafone New Zealand said it understood the Vodafone AU partner portal was protected by single factor authentication, in this case a password.

"Access to our partner portal is via a two factor authentication procedure which makes it very difficult to access if you don't have the security token," he said, adding that access required more than a username and password.

No New Zealand customer information was held in Australia, East said.

When asked if there had been any possible security lapses in customers' personal details here, East said he was not aware of any customers' details being compromised in any way.

"VFNZ has rigorous policies and procedures including regular audits and security reviews which ensure our systems are up to date," he said.

"All customer account access is monitored and logged. Should any unusual activity be reported, it will be identified and investigated."

The Australian company has reset all passwords for its web portal, used by employees and dealers.

The Australian report said criminal groups have paid for the private details of some Vodafone Australia customers to blackmail them and other people have obtained logins to check their spouse's communications.

A Vodafone Australia spokesman said the company was concerned to hear of the alleged breach.

"Vodafone's customer details are not 'publicly available on the internet'," he said in a statement.

"Customer information is stored on Vodafone's internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password.

"Any unauthorised access to the portal will be taken very seriously, and would constitute a breach of employment or dealer agreement and possibly a criminal offence."

The company would investigate the allegations and refer the matter to the Australian Federal Police if appropriate, the statement said.

Michael Fraser, head of the Australian Communications Law Centre at the University of Technology, Sydney, told Fairfax it seemed to be a major breach of the company's privacy obligations and "unbelievably slack security".