Vodafone Hutchison Australia (VHA) is being implicated in a fairly stunning scandal, in which it has admitted to having improperly accessed a reporter’s phone in search of the identity of a whistleblower. An individual had leaked confidential security information to her, regarding a story about vulnerabilities in the company’s customer identity systems.
The reporter had been writing an article detailing how the personal information of millions of Vodafone customers was easily accessible online, including home addresses, driver’s license information, and credit card details. A day after Natalie O’Brien published that story, her call and message data was apparently accessed in search of her source.
Vodafone denies any wrongdoing, issuing the following statement in a public release on its Australian website:
VHA strongly denies any allegations of improper behaviour. VHA takes its legal and corporate responsibilities very seriously. Over the past four years, VHA has invested heavily in the security of its IT systems. The company has very strict controls and processes around the privacy of customer information, and has appointed a dedicated privacy officer. The privacy of our customers and protection of their information is our highest priority and we take this responsibility very seriously.
However, later in the same public release, it does admit that an employee accessed the records in question, precisely as O’Brien alleges:
In around June 2012, VHA became aware that an employee had, in January 2011, accessed some recent text messages and call records of a customer. VHA immediately commissioned an investigation by one of Australia’s top accounting firms. The investigation found there was no evidence VHA management had instructed the employee to access the messages and that VHA staff were fully aware of their legal obligations in relation to customer information.
There is also corroborating evidence in the form of leaked emails from Vodafone Group’s head of fraud management and investigations, Colin Yates, in which he makes statements indicating that Vodafone had full knowledge that it had searched her records and was concerned about the possible public relations headache that the information could cause if it became public.
The Guardian has an excellent write-up of the details, as much of the primary sources are locked behind The Australian’s paywall. Additionally, The Sydney Morning Herald has a statement from O’Brien about the personal experience of having her privacy breached by her mobile phone provider.