IT security: Vodafone Australia's got your number - and so have loads of other people

Think of the scale of the Vodafone data security failure like this: imaging your bank allowed unrestricted access to all of its customer-facing staff to the entirety of the data the bank holds on you including not just name, address, balances and - perhaps - identity numbers but also all its transactional records - and credit / debit card data if you pay your bills by standing order charged to your card.

Not, you will notice, that they limit access to this data to counter-staff or call centre staff. Now imagine that your bank has a network of independent agents selling their services and that, as an almost entirely commission-driven business, it attracts what psychologists would regard as employees who, by their nature, are attracted by a higher risk-reward life. And then, having recruited people who might, in other fields, be more suited to be "wide boys" or grey-area trading, your bank then gives them access to the same level of data as it allows its own staff.

And let's face it - all over the world, the mobile phone industry has been spotted with consumer fraud, fly-by-night resellers and highly mobile staff who rarely stay in a job long.

Yet, despite the risks, that is, in effect, what Vodafone has done in Australia. It has allegedly allowed its dealers full access to customer data which the company itself holds. That includes financial data, personal data and call records - the sort of information that police and other law enforcement agencies need to get a warrant to access.

The company says that the data is password protected: unfortunately, there is remarkably little control over who is given the password.

Mobile phone shops - the world over - see a succession of staff including managers. They are transferred from branch to branch but also staff - being largely commission based - are also likely to be encouraged to churn customers.

The mobile phone industry has, for some years, been the kind of gold-rush industry that plagued, for decades, the life insurance industry - once a qualifying period has been met, customers can move to another provider without penalty.

Vodafone has been embroiled in all kinds of trouble in Australia with some consumers going so far as to launch a class-action over what they claim is poor service coverage. A list of Vodafone users who are be coming up to renewal and might be sold the idea of change would be a very useful list. Just ask the UK's T-Mobile: they had a data theft last year in which renewals were "hijacked" after a list of pending contract expiries was stolen.

But the list, containing all manner of personal data including call records, has more sinister uses, including identity fraud.

Think blackmail: mobile phones accounts are regarded by the telephone companies as a credit product therefore they undertake credit checks on their users, manage credit limits and threaten disconnection if that limit is breached. That sounds remarkably like a loan account at a bank. And phone companies, like banks, take real-life personal data: unlike e.g. buying from an on-line store that accepts your credit card as a form of identification and requires nothing else, mobile phone companies treat data in a way that is similar to store-cards including analysis of use, yet data protection in the hands of mobile phone companies is treated, under Australian law, in a very different way to data relating to financial services.

That means that Vodafone is not subject to data protection fines for allowing anyone who can get a job in a branch of a dealer selling its products to have access to such sensitive information.

Vodafone's response has been to say that it does not know how many of its approx. 4 million customers have had data copied nor who has copied it. Australian media is speculating that some of the data might have been sold to organised crime gangs.

It would be a surprise if it had not: it's not ancient history to the days before the mobile phone was ubiquitous and many people, especially business people, carried "phone cards" which were a form of charge-card backed by their home or company phone bill. It was found that clerks in hotels were bribed to collect outgoing call records from their systems and to pass them onto criminals. Why? Because the call-records contained the full account number and security codes needed to access the telephone system and charge calls to the card. Because of billing lag from the user to the credit card to the telephone bill as much as six weeks calls were possible before anyone found out.

The company says that it "appears to be a one-off breach," according to a report in the Sydney Morning Herald. Vodafone's CEO, Nigel Dews," is quoted as saying "it appears what has happened is that someone has shared a password."

Vodafone says that it is taking steps to secure its system by adopting a new daily password system.

But that's not a solution: it just means that criminals need to get the password from their contact at the first smoking break (half an hour after work starts) and they still have several hours to access and download data.

The core of the issue is not whether branches should have access to on-line approvals but how much of the decision-making data they should be able to see.

That's where Vodafone has failed and where it does not, at least according to its statements so far, appear to be ready to address.

Note: this article has been corrected for spelling errors.