[BreachExchange] Vodafone customer account details 'briefly exposed' after software update

Destry Winant destry at riskbasedsecurity.com
Mon Sep 30 01:14:07 EDT 2019 

https://www.stuff.co.nz/business/116072133/vodafone-preparing-comment-on-apparent-privacy-breach

Vodafone says customers were able to access other people's account
information through its MyVodafone app on Wednesday morning.

Spokeswoman Meera Kaushik said the privacy breach followed a planned
upgrade to the app at 7am, which resulted in an "unexpected caching
issue".

"The upgrade was rolled back within 15 minutes and the caching issue
corrected, however it did mean that for a period of time a small
number of users were able to see some of the information that
customers had entered into their app," she said.

Vodafone's analysis was not complete, "but we have confirmed that at
least three customers' personal information was exposed in the brief
period of time between the upgrade and the roll-back this morning,"
Kaushik said on Wednesday afternoon.

"The root cause of the incident has been identified and remedied" and
customers' full credit card details were not visible, she said.

"We've advised the Privacy Commissioner and are contacting these
customers to notify them."

Auckland man Umesh Dayal said he was contacted by "at least
half-a-dozen" people on Wednesday morning who had told him they had
seen his details, instead of their own, when they logged on to the
app.

"They were able to log off and back into their own account.

"It looks like a glitch to me. Vodafone are confused at this stage,"
he said, speaking prior to Vodafone's statement.

"Obviously there is a privacy breach."

Dayal said he was not overly concerned. "It is nothing that is going
to cost me anything."

Another Vodafone customer, Peter Murphy, said he also been presented
with Dayal's account details, and had then seen the account details of
two other Vodafone customers when he logged off and back into the app.

"Vodafone said 'delete the app and reinstall it'."

He believed he would have been able to make changes to those people's accounts.

"I could have bought a data plan or changed the plan they were on."

Murphy said he was concerned his own personal information could have
been available to other Vodafone customers.

More information about the BreachExchange mailing list