Vodacom admitted that customers faced a “potential vulnerability” after being alerted by the Sunday Times about the loophole in one of its websites.
Almost three million people are registered on Vodacom4me, a website run by the cellular service provider, where customers can manage their accounts online, check call records and costs, send messages and download ring tones.
Two people checking their account balances stumbled upon the security blooper, managing to gain access to other customers’ private call records.
Anthony Booysen and Tal Orlik from Cape Town said: “One only has to be registered with Vodacom4me. On the site, change a digit and you get a random itemised bill with all the calls a person has made,” said Booysen.
The Sunday Times was able to gain access to the records of over 20 people, including the numbers they dialled, the cost of calls made, their names and addresses.
They ranged from financial consultants and small businesses to a Vodacom IT employee and a man whose movements could be tracked from Norway to Russia over the festive season. Many were not amused. “In the wrong hands this could be destructive, and the website lets you save it,” said Booysen.
Anna Grimbeek, an irate Vodacom subscriber from Potchefstroom, said the breach had put her in potential danger from criminals. “You can tell me the exact amount of money I paid for my children’s phone yesterday. You’ve got proof of my residence. What happens when that kind of information gets into the wrong hands? ”
Vodacom spokesman Dot Field said that when the Sunday Times brought the matter to their attention, the vulnerable section of the website was “disabled with immediate effect”.
The weakness had made it possible to display random customer information from a “caching front end server” which briefly stored information. The main database of information was secure, she said.
“The systems are continuously being improved with upgrades … and Vodacom will always do everything possible to protect confidential information,” said Field.