Vodafone 'fesses up to hack of journalist's phone, denies 'improper behaviour'
Oz wing of mobe operator blames rogue employee
The Australian division of mobile giant Vodafone has admitted that one of its employees illegally accessed the phone records of a journalist to try to uncover her sources, following publication of a negative story.
However, Vodafone – which first investigated allegations of a privacy breach four years ago – has strongly denied that its actions were unlawful.
Fairfax journalist Natalie O'Brien, writing in the Sydney Morning Herald on Sunday, said that the hacking of her phone had been a "creepy, nauseating experience".
A Sun-Herald front-page splash under O'Brien's byline appeared in the newspaper in January 2011. She said that her messages had been hacked in the wake of her scoop revealing serious vulnerabilities in Voda's Seibel data system.
"This vulnerability in Vodafone's systems was a matter of legitimate public interest," O'Brien said.
"I also happened to be a Vodafone customer," she added.
"I have since learnt that immediately after the release of my story, a Vodafone employee accessed and downloaded a copy of my text messages and call records.
"The shock and anger is only compounded knowing it was because I was doing my job that I was targeted and it was my own telco that was doing it to me."
Vodafone confessed in a statement on its Australian website on Saturday that an employee at the company had hacked into a customer's phone.
The mobile operator said:
Our investigation into alleged privacy breaches in January 2011 was undertaken to determine if any VHA [Vodafone Hutchison Australia] staff had breached privacy laws or engaged in any criminal behaviour, not to discover the source of damaging media stories.
As a result of our investigation, several retail staff were dismissed for breaches of VHA security policies.
In around June 2012, VHA became aware that an employee had, in January 2011, accessed some recent text messages and call records of a customer. VHA immediately commissioned an investigation by one of Australia's top accounting firms.
The investigation found there was no evidence VHA management had instructed the employee to access the messages and that VHA staff were fully aware of their legal obligations in relation to customer information.
However, it's been reported by The Australian newspaper – which claimed to have seen an internal Vodafone email – that Voda had allegedly attempted to stifle privacy breaches at the company.
In a 2012 email addressed to Vodafone Group's global corporate security director Richard Knowlton, the carrier's then-head of fraud Colin Yates was quoted as saying:
“If the issue relating to breaching the reporter’s privacy by searching her private call records and text messages gets into the public domain, this could have serious consequences given it is a breach of the Australian Telecommunications Act.
“And [it] would certainly destroy all of the work done by VHA over the past months to try and restore their reputation.”
Vodafone said that it had "invested heavily in security of its IT systems" since 2011 when the breach occurred. It added:
The company has very strict controls and processes around the privacy of customer information, and has appointed a dedicated privacy officer. The privacy of our customers and protection of their information is our highest priority and we take this responsibility very seriously.
Sponsored: Global DDoS threat landscape report