This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Vodafone Australia

Summary

Vodafone Hutchison Australia's customer database was compromised through unauthorised access by employees and third-party dealers. Criminal groups obtained customer information including names, addresses and credit card details, while others used the access to monitor communications of partners and acquaintances.

What Happened

The breach occurred when database passwords for Vodafone's Siebel customer management system were compromised by employees or authorised dealers who had legitimate system access. The customer data was stored on internet-accessible servers rather than secure internal systems.

Criminal organisations paid insiders for access to customer records. Individuals with system access could view customer bills, phone records and make unauthorised account changes. The security weakness allowed anyone with valid credentials to look up any customer's personal information and modify their account details.

Vodafone discovered the breach on 8 January 2011 and immediately began resetting all system passwords.

Impact on Individuals

Affected customers faced multiple risks:

  • Identity theft: Home addresses and credit card details were exposed, enabling criminals to open fraudulent accounts or make unauthorised purchases
  • Privacy violations: Phone bills and call records were accessible, revealing personal communications and usage patterns
  • Relationship surveillance: Some individuals used the unauthorised access to monitor partners' or acquaintances' phone usage and communications

Customers were advised to monitor their credit cards for suspicious transactions and be alert to unusual account activity.

Organisational Response

Vodafone reset all system passwords on Saturday, 8 January 2011 after learning of the breach and continued rotating passwords every 24 hours as a precautionary measure. All retail stores and authorised dealers were required to contact Vodafone's helpdesk on 9 January 2011 to verify their identity before receiving new credentials.

The company terminated several staff members connected to the unauthorised access and contacted NSW Police. Vodafone emphasised that while insider access was compromised, no credentials or customer data were accessible via the public internet or the Vodafone website itself.

The Privacy Commissioner investigated and concluded that Vodafone Hutchison Australia failed to maintain adequate security controls to protect personal information in its Siebel system, constituting a breach of privacy principles.

Verification Source: View original statement