A security flaw in the “My Vodacom” online portal exposed Vodacom subscribers’ personal details, including account balances, package details, service providers, average monthly spend, the phone used, PUK and PIN details.
The flaw allowed a Vodacom subscriber who is logged into the My Vodacom online portal to enter any Vodacom number and find personal details linked to this number.
The security flaw was reported to MyBroadband by a concerned forum member Christopher Brunsdon (cbrunsdonza).
Vodacom was alerted about the security flaw on the afternoon of the 26 December and the company launched a “complete investigation”.
Vodacom reported back to MyBroadband on the same day that the flaw was identified, and a patch was developed overnight.
The patch was tested successfully on the morning of the 27 December and was deployed into production by midday on the same day. Overall it took less than 24 hours to find and rectify the problem.
“Only high level account summary information was exposed such as the type of package and the balances. No banking information was compromised nor was it possible to transact on the affected number,” said Vodacom.
Vodacom added that the security of customer information is of paramount importance to them, and that they will be reviewing their systems accordingly.
“We’re grateful to Brunsdon and MyBroadband for bringing this to our attention. We take customer data security extremely seriously and with the help of MyBroadband and its members were able to quickly make changes to our systems,” said Vodacom.