Vodafone fixes hole in customer site after data exposed

British mobile carrier Vodafone finally plugged a hole today on a customer Web site that could be used to get e-mail addresses and phone numbers by providing some basic or guessable information on the password reminder page.

Vodafone users began complaining on a customer forum on Wednesday that the password reminder page confirmed the e-mail address when the phone number is typed in and confirmed the phone number and e-mail address when the log-in name was provided.

As a Vodafone representative assured customers on the forum that the company was investigating the matter, users were complaining that the problem page was still up and that they were getting spam and e-mail from strangers who knew their phone numbers.

Today a Vodafone spokesman provided CNET with this statement that was also posted to the forum: "We've updated the My Account section of Vodafone.co.uk, and customers who need a reminder of their details can now request one online.. ... We take our customer's security very seriously and started to address the issue as soon as we became aware of your concerns, so thank you for your posts. We also wanted to reassure customers that the personal data stored on their My Account profile has not been directly at risk as a result of the site's functionality and that it didn't allow one user to log in or view another user's My Account pages."

That statement, which did not include an apology, did not do much to pacify users on the forum. Several customers said they had contacted England's Information Commissioner's Office which investigates consumer privacy matters and were encouraging others to do so as well.

"Even though the flaw has now been fixed, they (ICO) agreed that Vodafone took too long to take the page down after they were made aware of the issue," one forum user wrote.