The subscriber information, which included names, addresses, driver’s licenses, and credit card information, was stored on a site that is only supposed to be accessible by dealers using shared IDs and passwords. Apparently, the information was sold to unauthorized individuals, Vodafone admitted last month.
In response to the incident, the Australian Privacy Commissioner opened an investigation into whether Vodafone violated the country’s Privacy Act. On Feb. 16, the agency issued its report on the Vodafone data breach probe.
Privacy Commissioner Pilgrim said that while he “did not find any evidence that substantiated the claim that Vodafone customers' personal information was available on a publically accessible website”, the company “did not have appropriate security measures in place to protect customer's personal information at the time. Consequently, Vodafone was in breach of their obligations under the Privacy Act."
Pilgrim added that he “was particularly concerned by Vodafone's use of shared logins and passwords for staff and the broad range of detailed personal information available to them.”
In response to the probe, Vodafone agreed to review its IT security and ensure that all appropriate staff, including employees in retail stores and dealerships, be issued individual login IDs and passwords.
The Privacy Act does not provide the Privacy Commissioner the ability to sanction companies found guilty of violating the law, Pilgrim admitted. He said that the Australian Law Reform Commission has recommended that the enforcement provisions of the act be strengthened.