Create a free account, or log in

Vodafone data breach highlights importance of data protection in SMEs

With Vodafone now the subject of a Privacy Commission investigation for allowing crucial customer data including billing information to be made available through a web portal, experts say SMEs need to be on their toes when it comes to data protection. Businesses must ensure data is covered by multiple layers of protection, which includes the […]
Patrick Stafford
Patrick Stafford

With Vodafone now the subject of a Privacy Commission investigation for allowing crucial customer data including billing information to be made available through a web portal, experts say SMEs need to be on their toes when it comes to data protection.

Businesses must ensure data is covered by multiple layers of protection, which includes the use of multiple passwords, along with digital encryption for critical data such as credit numbers and billing details, these experts say.

“With credit card information, and other information that is critical… having that leaked will result in trouble for your brand,” IDC research manager for IT Marina Beale says.

Yesterday Vodafone chief executive Nigel Dews stated that the incident probably occurred when “somebody shared a password”, which allowed access to the company database.

Vodafone says it is now changing those passwords every 24 hours to keep a tighter grip on security, but experts say other businesses should do more.

Beale says she is surprised there wasn’t a “two-pronged” approach to the security, where an employee’s username is supplemented by a password and another type of security check.

Ovum analyst Craig Skinner says the Vodafone incident provides a critical lesson for SMEs โ€“ data protection needs to be a company-wide issue, and not just a matter for the IT manager.

“It really has to come top down from the business, so if it’s coming from the chief executive, or a board of directors, this is a director level issue because if something gets out, it can affect the whole company.”

Skinner says every company needs to conduct a security audit, whereby the board brings in professionals to look at the data within the business, how it’s protected, and where they are some blind spots where data could be leaked.

“It’s a matter of coming in, and going through the processes, and then involving people who have a good understanding of security procedures. Undertake a security audit and then find out where the risks are.”

Skinner points out that in the Vodafone case, the telco itself has proposed the idea that employees could have been sharing passwords.

“I’m unsure of Vodafone’s operational requirements, but other businesses shouldn’t have a situation where you are able to share a singled password and then gain access to the full amount of information for every customer.”

Skinner also recommends that businesses keep data segregated โ€“ make sure you know which data can be accessed by which employee, so when a breach occurs you know who is responsible and can start an investigation.

“Look at what happened with WikiLeaks,” Skinner says. “You had one employee who had access to all this information, and then was able to leak it all out. If you don’t have internal system checks, you miss this type of thing. If you do have those checks, it raises a red flag immediately.”

“If your data is limited, certain employees can only access certain things. For example, they might only be access to certain elements of an account. Having all of that account information in one place can expose businesses to leaks.”

Skinner says businesses should also keep track of where data is being accessed from, and log access attempts digitally to find out when account information is being opened.

“It’s good to be able to tell the IP address from where data is being accessed. You should be able to determine if someone is accessing data from home, or wherever they are, so you’re able to flag some unusual activity.”