This is not a non-story...
I think the Richard Chirgwin has rather missed the point.
Of course companies have web portals that allow access to customer information for the purposes of self-service. However, each customer has a unique log-in, and knowing that log-in only gives you access to that customer’s records.
Other information may be available via an extranet, but this is only a sub-set of information useful for other specific circumstances, such as stock levels and ordering systems. Such systems in any case may be tied to specific IP addresses, and shouldn’t contain sensitive customer information.
Companies should be much more restrictive about access to their back-end systems, however, where information about every customer can be seen. Usually such systems are only available in specific locations (eg at a call centre or branch), and require a log-in tied to an individual employee. Where remote access is possible, it is via a VPN link, again tied to an individual user and authenticated using something like an RSA token.
In this case, Vodafone was allowing access to its entire back-end system from any internet-connected computer using nothing more than a generic password. Richard Chirgwin mentions banks, as if this behaviour is usual – but would you be happy if someone could access all the information the bank has on file about you from anywhere in the world using a simple username/password combination – especially when such logins are generic and shared between many different users? I think not.
For sure, the media has hyped this up somewhat (saying ‘their whole customer base information is publicly accessible on the internet’ is a bit of a stretch), but there is still a genuine story here. Vodafone Australia’s infosec policies are clearly not up to scratch, potentially exposing customer information to miscreants who could use it to commit fraud, including identity theft. And that is no trivial matter.
Biting the hand that feeds IT
