Vodafone Australia may face a class action for breach of privacy after it confirmed that its customers' details may have been sold to criminals.
Apparently, the company changed user passwords only once a month, and many people had access to the customer database.
A Vodafone Group spokesman said early indications suggested that this was an isolated incident.
"Vodafone takes customer information and data security extremely seriously and is concerned to hear about this alleged breach," the spokesman said.
He said Vodafone Group password policy complied with the international security standard ISO 27001.
However, this is a template that spells out where policies are needed rather than what the policy should be.
According to the Information Security Forum's Standard of Good Practice, all users should be authenticated using user IDs and passwords or by strong authentication mechanisms (for example, smartcards or biometric devices, such as fingerprint recognition) before they can access target systems. But it is silent on how often passwords should be updated.
On third-party access to corporate information, the ISF guide says there should be ways to balance third-party control with the business risk. This should protect the interests of the organisation in relation to ownership of information and systems, copyright of information and other issues, as well as limit the liabilities of the organisation to third parties.
It should also require compliance with regulatory or statutory obligations such as data privacy legislation, and make third parties accountable for their actions (eg by defining responsibilities, permissible actions and incident handling procedures in contracts).
The guide adds that firms should use a process such as encryption to protect sensitive information stored on target systems or in transit to third-party locations. Firms should also log activity to help track individual transactions and enforce accountability, it says.
"Third-party access should be restricted to defined entry points and only through firewalls, users should be authenticated in line with their job role, and data access should be limited in terms of information, application capabilities and privileges using the principle of 'least access'," the standard says.
Vodafone Hutchison Australia said that customer information was stored on Vodafone's internal systems and accessed through a secure web portal. It was accessible to authorised employees and dealers via a secure log-in and password.
"Any unauthorised access to the portal will be taken very seriously, and would constitute a breach of employment or dealer agreement and possibly a criminal offence," the company said.
It added that it had reset all passwords on Saturday 8 January after it learned of the alleged security breach. "We have continued to reset passwords every 24 hours," it said. "We are also undertaking a detailed investigation and review of the training and process as an additional precaution."
Vodafone said that its internal security experts were investigating the matter. "We will refer the matter to the Australian Federal Police if appropriate," it said. It also offered "its full co-operation" to the Australian privacy commissioner.
According to reports first published by Fairfax newspapers, criminal groups paid for some customers' private information, including home addresses and credit card details.
Others had obtained log-ins to check their spouses' communications, and it emerged that anyone with full access to the system could look up a customer's bills and make changes to accounts.