According to Fairfax, Vodafone's customer database is accessible to all its dealers over the internet, with the result that any dealer can look up extensive amounts of personally identifiable information (PII), together with call and SMS history, for any customer.
The Sydney Morning Herald says that unscrupulous password-holders have been offering what amounts to "pay-per-view" access to customer data to third parties.
Individuals, claims the Herald, are buying information to keep track of their spouses, whilst "criminal groups [are] paying for the private information of some Vodafone customers to stand over them". (Standover is the chillingly descriptive Australian vernacular for intimidation and extortion.)
If these allegations are true - and the reporter making them describes how she watched her own details, including complete call records, brought up over the internet by someone with a password for the Vodafone database - then they come at a woeful moment for Vodafone.
The company is already under the pump over ongoing network problems - a Sydney law firm recently set up a "register here to join a class action against Vodafone" website, and claimed on 05 January 2011 that approximately 9000 customers have already expressed an interest. (To be fair to Vodafone, this is one of those "no win no fee" deals, and no-one has actually had to provide any evidence or information yet. Talk - or its modern equivalent, clicking on a website - is cheap.)
This story is a disappointing echo of the so-called WikiLeaks "Cablegate" drama. In this case, it is claimed that a single person, with the lowly rank of PFC (Lance Corporal), was able to access, and to copy unencrypted, three decades' worth of secret US State Department diplomatic cables.
Organisational data shouldn't be accessible in an all-or-nothing fashion like this. It isn't fair to the organisation, and it definitely isn't fair to its customers. If you haven't yet started thinking about how to divide-and-conquer your corporate data - and how to divide-and-conquer the adminstration of that data - then why not make it a 2011 New Year's Resolution to do so?
News Source : Om Rathore | Sophos