Vodacom has fixed an issue which caused subscriber phone numbers and device identifiers (IMEI/SV) to be sent to websites when accessing them from its data network.
Richard Boorman, who is a spokesperson for the network, said that they recently ran a software update to increase the security of some of the services it offers on the network.
Queried about what this security upgrade entailed, Vodacom said that it wanted to switch from RADIUS to LDAP authentication.
In an interview on CapeTalk, Boorman said that the update happened around two weeks ago:
“Thanks to the MyBroadband investigation, we identified a bug in this update which means that in some cases the cellphone number and IMEI number were sporadically visible to other websites,” Boorman said.
“As soon as we were made aware, we reversed the software update and are now developing a fix,” he said. “We thank MyBroadband and its members for bringing this to our attention and helping with a speedy resolution.”
Responding to a report which appeared in The Times this morning, Boorman said Vodacom does not sell customer information to third parties.
“At no point do we disclose personal information such as customer names, billing information, or anything else along these lines,” Boorman said.
He confirmed that Vodacom does offer services which lets subscribers charge things to their phone bill, such as apps from app stores.
“This is especially important for customers who do not have access to a credit card and is a way to ensure sure that all customers can benefit from full connectivity,” Boorman said.
He added that they also support services where customers opt-in, such as Vodacom’s Look-for-Me emergency location service.
“In these specific instances, we provide the cellphone number to the app store or service provider so that the service can be charged,” Boorman said.
The software upgrade which introduced the bug – which leaked phone numbers and device identifiers to other websites – was intended to make this process more secure, he said.