On October 27, Business Tech reported:
Vodacom is providing information which uniquely identifies you as a subscriber to websites you visit while on its data network.
This was revealed by an online tool created by security researcher, Kenneth White.
Among the data, Vodacom subscribers are inadvertently providing to web servers their phone number and a unique identifier for their device called the IMEI/SV.
Recent media reports suggest that this data is being sent to web servers because Vodacom is modifying the web traffic of its subscribers.
In particular, it is injecting an additional hypertext transfer protocol (HTTP) header into the messages subscribers send to servers when requesting items such as web pages.
When asked about the apparent data leak, Vodacom said it is still investigating the issue as a matter of urgency.
And apparently, they did. On October 30, Business Tech reported:
Vodacom says it has fixed an issue which caused subscriber phone numbers and device identifiers (IMEI/SV) to be sent to websites when accessing them from its data network.
Richard Boorman, who is a spokesperson for the network, said that they recently ran a software update to increase the security of some of the services it offers on the network.
Queried about what this security upgrade entailed, Vodacom said that it wanted to switch from RADIUS to LDAP authentication.
In an interview on CapeTalk, Boorman said that the update happened around two weeks ago:
“Thanks to the MyBroadband investigation, we identified a bug in this update which means that in some cases the cellphone number and IMEI number were sporadically visible to other websites,” Boorman said.
“As soon as we were made aware, we reversed the software update and are now developing a fix,” he said. “We thank MyBroadband and its members for bringing this to our attention and helping with a speedy resolution.”
Now that’s the way to respond to a notification or inquiry!