Vodafone Australia has admitted it hacked a journalist’s phone records for espionage purpose. The company was trying to discover the sources for journalist’s stories, but Vodafone denies any “improper behaviour”.
The journalist is Natalie O’Brien and in 2011 she published a series of stories related serious security issues in the Siebel data system used by the Vodafone.
O’Brien reported that Vodafone’s Siebel data system was available online and easily accessible through generic passwords that were being shared around the company and publicly.
The journalists reported that the Vodafone system was vulnerable to cyber attacks, exposing customer data, including home addresses, drivers’ licenses and credit card details, to criminal rings.
In response, after the publishing of the story, a Vodafone employee accessed her phone (O’Brien was Vodafone customer) call and text message records in order to discover its sources and the alleged company whistleblowers.
“It’s a creepy nauseating experience to know that someone has been trawling through your mobile phone account looking at all your call records and private text messages.” O’Brien wrote on the Sun-Herald.
“The invasion of privacy is devasting. It plays with your mind. What was in those texts? Who were they to? What did they see? What did they do with the information?”
The journalist was disconcerted by the events, the alleged flaws in the Vodafone system and the hack have to be reported to the Information and Privacy Commissioner and the Australian Communications and Media Authority.
“The shock and anger is only compounded knowing it was because I was doing my job that I was targeted and it was my own telco that was doing it to me. Since when did telling the truth become the wrong thing to do?”
According to internal Vodafone email, reported by the Australian, the Giant was aware of the serious security breaches and of consequences for hacking the journalist’s communications and data.
“The head of fraud management and investigations for Vodafone Group, Colin Yates, wrote to then global corporate security director Richard Knowlton that there was a “huge risk” to the company if the hacking of O’Brien’s phone “gets into the public domain”.” reported the Guardian.
“If the issue relating to breaching the reporter’s privacy by searching her private call records and text messages gets into the public domain, this could have serious consequences given it is a breach of the Australian Telecommunications Act,” Yates wrote.
“And would certainly destroy all of the work done by VHA [Vodafone Hutchison Australia] over the past months to try and restore their reputation.”
Vodafone denies any allegations of improper behaviour and confirms it provided all the necessary support to the Privacy Commissioner’s investigation.
[Vodafone] “strongly denies any allegations of improper behaviour. VHA takes its legal and corporate responsibilities very seriously”. states the company in an official statement.
“Over the past four years, VHA has invested heavily in the security of its IT systems. The company has very strict controls and processes around the privacy of customer information, and has appointed a dedicated privacy officer. The privacy of our customers and protection of their information is our highest priority and we take this responsibility very seriously.”
“We deny that Vodafone Hutchison Australia made any incorrect statements to the Privacy Commissioner or any other authorities.”
Vodafone confirmed it became aware of the hacking of O’Brien’s phone in June 2012.
“Vodafone Hutchison Australia immediately commissioned an investigation by one of Australia’s top accounting firms. The investigation found there was no evidence VHA management had instructed the employee to access the messages and that VHA staff were fully aware of their legal obligations in relation to customer information.”
This isn’t the first time that Vodafone was cited by privacy advocates.
In June 2014, Vodafone issued the “Law Enforcement Disclosure Report“ that revealed the existence of secret wires that allow state surveillance. The document describes the support provided by the company to many governments for lawful interception for some of its 400 million customers.
In November 2013, Vodafone Iceland suffered a major data breach that exposed 70000 user personal information. A a group of hackers disclosed a compressed 61.7MB rar file that contained a collection of files including one titled users.sql that appears to contain the 77,000 Vodafone user accounts. The file includes usernames, social security numbers, encrypted passwords as many other encrypted information.
Another file, MySQL file greind.sql appears to contain a small log of sms history that is dated 2011 as well as a sms logger.
The hack of the Fairfax journalist’s phone represents a serious threat for the user privacy, let’s wait for further information of the investigation of Australian authorities.