VODAFONE Australia launched an internal investigation into a security breach that has put invoicing and call records on a publicly accessible website protected only by passwords that are changed monthly. Allegedly, anyone with a Vodafone login could view sensitive personal data.
A Vodafone spokesperson claimed that customer details were not available on the internet. “Customer information is stored on Vodafone’s internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password”.
Vodafone also faces the prospect of privacy concerns being investigated by the Office of the Privacy Commissioner. The commissioner has the power to conduct an investigation on behalf of affected customers and direct that compensation be paid to those affected. However, it appears that Commissioner doesn’t have the power to fine Vodafone directly for any data breach.
The main issue from preliminary reports is the fact that Vodafone allowed details of their customers including names, addresses, calls records and charges to be accessible via a public website. This data could be accessed by the use of passwords. It is unclear whether separate individuals were issued with the same log in details and password. This would cause difficulties in back tracking as to who exactly accessed which data and whether they had reasonable cause to do so.
A further issue is the extent of the records for the activity of those logging in to the system. Without a robust record to perform audits on, Vodafone will be unsure as to how many records have been accessed without authority and complicate any possible compensation issues. Vodafone declined to specify what logs are maintained, stating that they did not want to hand out information that could help hackers.
This incident came at a difficult time for Vodafone as it faces several possible lawsuits relating to alleged quality of service issues for customers in Australia, outages supposedly as a result of Vodafone’s 3G network upgrade.
System logs & Auditing
Keeping track of what your IT system is actually doing is one of the most important, but tedious, processes of good IT security management. Without sufficient logs as to the activity on your system [log-ins, activity, accessing files & DBs, downloads, change of data, emails etc], an effective and meaningful audit is not possible.
A suitable depth of logs is also a priority – if the logs are kept for just four weeks but the suspicious activity occurred two months ago, then again no useful audit can be undertaken. As the cost and physical size of storage media continues to drop dramatically, any security process should include a suitable catchment and depth of log activity.
The need for an audit is usually triggered by the following:
- A reported security lapse from an investigation, physical inspection or alert from a third party, as was the case for Vodafone being tipped off by a journalist
- Activity hits a specified event trigger – such as spike in activity for certain usernames or accessing areas which are not normally permitted
- As required by the CIO or else an external audit team reviewing the system in line with procedures
Whenever a data breach is alleged or detected, one of the first steps for investigators is to review the logs for access to the system and data. Matching event logs to suspicious log-ins and activity is part and parcel of an audit. Other information such as physical access to buildings or certain offices, originating IP addresses and MAC addresses for machines may also be cross referenced as part of the audit to determine the nature and extent of the security breach.
Other important security steps for being able to mount an effective audit include:
- Passwords – all passwords should be changed periodically and previous passwords cannot be recycled
- Usernames – all usernames should be unique and utilise letters and numbers e.g. ANART22 or 25-IPIO to discourage guessing by hackers
- Usernames – they should also avoid being obvious, such as a users’ first or last name or else the name of the town or branch – e.g. David or Auburn.
- Log access errors – all incidents of unsuccessful log-ins should be conveyed to the user and administrator for review and detection of attempted hacking
- IP address – recording all originating IP addresses for log-ins and plot them geographically [though they may be spoofed]
- Account management – indicates when user accounts are added, modified or deleted in any way
- Object access – responds when certain sensitive files, folders and other system objects are opened, closed or otherwise “touched”
- Privilege use- records when users exercise privileges assigned to them beyond regular activity
Do you need to know more about our services and how Regents can assist you with preventing information loss and investigations into security breaches? Simply go to our Cyber Threats page or else our Contact Us for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.