The Privacy Commissioner has launched an investigation into Vodafone after a lost password allowed thousands of customers’ private details to be accessed through the company’s database.
The alleged privacy breach, which occurred over the weekend, also comes as thousands of customers are organising a class-action lawsuit against the company for various network failures as VHA merges its two entities, the Vodafone and Three.
“I have opened an motion investigation into the matter today,” commissioner Timothy Pilgrim said in a statement.
The alleged breach is the latest in the telco sector, and comes after telco giant Telstra has encountered privacy issues of its own, with hundreds of letters sent out to the wrong customers revealing private billing and account details last year.
Lawyer Sasha Ivantsoff from law firm Piper Alderman, which is organising the class-action, says the firm will “have a look at” the issue, and confirmed that he will incorporate a question about privacy matters into a questionnaire to be sent out to prospective class-action members this week.
The data reported to have been made available included names, addresses, driver’s license detail and even credit card numbers. Call records and billing details have also been made available.
This morning Pilgrim said that an investigation had been launched already.
“Our Office takes all allegations of privacy breaches very seriously. All organisations should ensure the security of their customers’ personal information or risk breaching the Privacy Act and causing serious customer dissatisfaction and possible loss of business as a result,” Pilgrim said.
“The Office’s first step will be to determine whether Vodafone’s activities constitute a breach of the Privacy Act. I am concerned about the amount of personal information that may have been disclosed which could include sensitive information.”
Vodafone chief executive Nigel Dews has stated that the breach occurred when, “somebody shared a password”, which allowed access to a database that contained the private details of thousands of members. It is understood this password was an employee’s that had been given out.
But a Vodafone spokesperson said this morning that “Vodafone’s customer details are not ‘publically available on the internet'”.
“Customer information is stored on Vodafone’s internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password,” the spokesperson said.
“All passwords have been reset and a review is being undertaken of the training and process as an additional precaution.”
The spokesperson also said an investigation is being conducted, and that the matter will be referred to the Federal Police “if appropriate”.
The Privacy Act contains provisions that mandate companies take reasonable efforts to protect the privacy of their customers.
If the Privacy Commissioner finds Vodafone has breached the Privacy Act, the telco could be liable to pay compensation that could run into millions of dollars.
However, similar punishments have not been used in recent cases: Google was found to have breached the Act with its Street View privacy issue in 2010, but was not ordered to pay a fine or compensation.
COMMENTS
SmartCompany is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while it is being reviewed, but we’re working as fast as we can to keep the conversation rolling.
The SmartCompany comment section is members-only content. Please subscribe to leave a comment.
The SmartCompany comment section is members-only content. Please login to leave a comment.