In response to allegations published yesterday of a serious security breach that may have left millions of Vodafone customers’ personal details and credit card information at risk, Vodafone announced that it is investigating the allegations but denies that customer records are publicly available on the Internet:
The AAP also reports:
The mobile phone company has reset all passwords for its web portal, used by employees and dealers.
[…]
A Vodafone spokesman said the company was concerned to hear of the alleged breach.
“Vodafone’s customer details are not ‘publicly available on the internet’,” he said in a statement today.
“Customer information is stored on Vodafone’s internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password.
Read more on news.com.au
But while Vodafone seems to be denying a breach – or at least some of the allegations – other coverage suggests that Vodafone has acknowledged that there has been a breach. Vienna Ma reports:
According to Vodafone chief executive Nigel Dews, the company was concerned to hear of the alleged breach, and an internal investigation is underway to work out who breached the system and how, and refer the matter to the Australian Federal Police if appropriate.
Vodafone has confirmed it believes its secure customer database has been breached by an employee or dealer who has shared the access password, revealing the personal details of millions of customers.
The mobile phone company has reset all passwords for its web portal, used by employees and dealers.
Dews said a full report will be delivered to him on Monday, but at this stage, he does not believe it is a widespread problem.
Read more on Trading Markets.
Peter Martin and Lucy Battersby also report that the breach denial is not a total denial:
‘It appears what has happened is that somebody shared a password,” Vodafone chief executive Nigel Dews told The Age. ”It appears to be a one-off breach and we have got out internal investigators looking into it right now. We reset our passwords last night and we are resetting them every 24 hours until that investigation is complete.”
[…]
Mr Dews declined to say whether Vodafone kept logs of every access, saying he did not want to hand out information that could help hackers.
Read more in the Sydney Morning Herald.
I’m quite familiar with such antics.
It’s all about PR shills using carefully crafted phrases.
Imagine that crooks break into Fort Knox are seen loading heavy boxes into a truck with a forklift and speeding away.
Has gold been stolen from Fort Knox? Well, it’s possible that it wasn’t gold in the boxes…
So, PR shills would be expected to say that there’s no evidence that gold was stolen from Fort Knox.
Here’s a similar example, which I’m involved in: http://caringaboutsecurity.wordpress.com/2008/07/11/whats-this-all-about/