Hi folks,
On Jan 9th, the Sydney Morning Herald ran a very interesting story about millions of Vodafone customers having their data leaked.
The article is slightly misleading, albeit probably unintentionally,
because on first reading it looks like _all_ four million Vodafone
customers had their data leaked, but after reading it, and some related
articles, it seems more likely that anyone's data _could_ have been
stolen, but it's by no means clear whether we're talking 100s or 1000s
of accounts.
It's still important, however, because criminal gangs are buying the
leaked account details, which include credit cards and drivers' license
numbers.
The nub of the matter is that Vodaphone employees _and_ Vodafone
dealers are given user ids and passwords that allow them to access the
main user database. This makes sense, because they'd need to be able to
see account details, so that they could provide support and sell
upgrades, and for any number of legitimate reasons.
The problem is that any one of these passwords gives the password
possessor full access to _all four million_ Vodafone accounts! And, not
only that, but they can access it from anywhere on the Internet.
That makes these passwords extremely valuable to criminals and
would-be criminals. I have no idea how many Vodafone employees and
dealers there are, but the number is likely in the thousands.
That's an awful lot of potential targets for the Bad Guys. Put
another way, everyone understands that a chain is only as strong as its
weakest link, and that's an awful long chain.
One's mind wanders and wonders how many other businesses have a
similar model, and therefore, how many other shoes are waiting to drop.
Keep safe folks,
Roger
|