The reality of the confidentiality of company passwords has been highlighted after it was revealed that all employee passwords at Vodafone in Australia were shared to allow customer data to be viewed.
According to a report by Dark Reading, Australian Vodafone partners and employees frequently gave out shared passwords to those outside the circle of company trust, as favours and rampant account abuse could have put the names, home addresses, phone logs, driver's licence numbers and credit card details of four million Vodafone customers at risk.
The case was highlighted by a journalist who said that she was able to log into Vodafone Australia's most sensitive customer database using legitimate credentials and has led to Australian privacy commissioner Timothy Pilgrim announcing an investigation into the breach.
A Vodafone spokesperson said in a statement in January that Vodafone's customer details are not ‘publicly available' on the internet. The data is stored on Vodafone's internal systems and accessed through a secure web portal. Any unauthorised access to the portal would be taken very seriously and would constitute a breach of employment or dealer agreement and possibly a criminal offence.
Vodafone Australia CEO Nigel Dews said: “We've made swift progress. We've terminated the employment of a number of staff, we've undertaken a review of the security systems and processes and we're implementing some of the initiatives straightaway."
Roger Thompson, VP of web threat research at AVG, said: “The nub of the matter is that Vodafone employees and Vodafone dealers are given user IDs and passwords that allow them to access the main user database. This makes sense, because they would need to be able to see account details, so that they could provide support and sell upgrades and for any number of legitimate reasons.
“The problem is that any one of these passwords gives the password possessor full access to all four million Vodafone accounts. Not only that, but they can access it from anywhere on the internet.
“That makes these passwords extremely valuable to criminals and would-be criminals. I have no idea how many Vodafone employees and dealers there are, but the number is likely in the thousands.
“That's an awful lot of potential targets for the bad guys. Put another way, everyone understands that a chain is only as strong as its weakest link, and that's an awful long chain. One's mind wanders and wonders how many other businesses have a similar model and therefore, how many other shoes are waiting to drop.”
Stephen Howes, CTO of GrIDsure, said that sharing of login information is common in many companies and it was just a matter of time before something like this was reported.
“We have got to fix this as an industry, as people will say ‘who can we trust'? Unless it is changed we will continue cruising along the same highway,” he said.
“It is not about being stable, it is properly addressing what is in the process. If it is too complicated people will find a way around it and organisations would rather take the risk on fraud than on losing out on a sale but if it is simple and secure, employees would use it.”