Vodafone faces security warnings over journalist hacking claims
A journalist says she is "appalled, outraged and very upset" amid claims her communications records were accessed by Vodafone staff, with privacy experts warning that this kind of data is "readily compromisable."
- Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
A journalist who claims her phone records were accessed by Vodafone says she is "outraged" that she was seemingly targeted for exposing security problems at the company, and that the telco is yet to contact her, despite the incident occurring in 2011.
Fairfax journalist Natalie O'Brien has also raised concerns about the handling of telecommunications data relating to journalists and whistle blowers, with privacy experts saying the Vodafone incident shows that this kind of sensitive information is "readily compromisable."
The allegations against Vodafone emerged over the weekend after The Australian published an alleged leaked email regarding an internal intrusion on a journalist's phone records in 2011. This followed Ms O'Brien's January 2011 publication of a story about security vulnerabilities in Vodafone's data systems.
O'Brien told CNET that the original article was a "very legitimate" public interest story about Vodafone's internal data storage systems.
"What I was writing about at the time was that you could access [the system] with these general log-ons which were being shared by many people," O'Brien said of her 2011 piece.
"If somebody told you what the log-on was...you could see everything: who you'd been calling, who you'd been texting, all that sort of information."
However, O'Brien said her own records were accessed shortly after publishing the exposé, though she only recently learned of the alleged breach.
"It certainly wasn't Vodafone that told me," she said. "However, I was a Vodafone customer at the time so Vodafone would have had access to all of my records."
Upon learning about the alleged intrusion, O'Brien said she was "appalled, outraged and very upset" about what she saw as "exactly the wrong response."
"I'm doing my job as a journalist, warning people about an issue which was very serious...people being able to access their partner's records, these log-ins being shared with people in the community," said O'Brien. "What we were doing was a public interest story, a very legitimate and a very important one. I'm very upset about it."
Vodafone's parent company, Vodafone Hutchison Australia, published a statement on the weekend [PDF] in response to the incident, saying it "strongly denies any allegations of improper behaviour" and that it "takes its legal and corporate responsibilities very seriously."
Our investigation into alleged privacy breaches in January 2011 was undertaken to determine if any VHA staff had breached privacy laws or engaged in any criminal behaviour, not to discover the source of damaging media stories. As a result of our investigation, several retail staff were dismissed for breaches of VHA security policies.
In around June 2012, VHA became aware that an employee had, in January 2011, accessed some recent text messages and call records of a customer. VHA immediately commissioned an investigation by one of Australia's top accounting firms. The investigation found there was no evidence VHA management had instructed the employee to access the messages and that VHA staff were fully aware of their legal obligations in relation to customer information.
But O'Brien is not satisfied.
"Vodafone has got a lot of questions to answer and they haven't done so," she said. "The thing to be asking Vodafone is, 'You commissioned an investigation, what happened with that?' It's all very well to say we had an investigation and it wasn't our officials that ordered it. Well who did? And what did you do about it?"
Privacy experts also warn that as customer information is increasingly digitised, especially ahead of Australia's new data retention scheme, telecommunications companies need to do more to keep this data secure -- including monitoring employee conduct.
"The company is responsible for the behaviour of their employees, contractors and agents," said Jon Lawrence, executive officer of digital civil liberties group Electronic Frontiers Australia. "They are required to ensure they have appropriate internal controls and procedures to ensure that the privacy of their customers is protected."
For its part, Vodafone says it has appointed a dedicated privacy officer and "invested heavily in the security of its IT systems" over the past four years, and that it has "very strict controls and processes around the privacy of customer information."
But EFA's Jon Lawrence says the incident should serve as a warning to telcos and customers alike.
"Whatever the specifics of this particular issue, it highlights the fact that communications data is readily compromisable through any number of means, including unauthorised internal access from disgruntled or compromised employees," he said.
As the journalist at the centre of the episode, Natalie O'Brien has a warning of her own.
"It's too easy for this to happen to people, not just to journalists but to ordinary people," she said. "People need to be aware that this...can happen. It's not right, but it is happening."
Vodafone declined to respond to questions beyond its official statement, which you can read in full here [PDF].