Hi folks,

On Jan 9th, the Sydney Morning Herald ran a very interesting story about millions of Vodafone customers having their data leaked.

The article is slightly misleading, albeit probably unintentionally, because on first reading it looks like _all_ four million Vodafone customers had their data leaked, but after reading it, and some related articles, it seems more likely that anyone’s data _could_ have been stolen, but it’s by no means clear whether we’re talking 100s or 1000s of accounts.

It’s still important, however, because criminal gangs are buying the leaked account details, which include credit cards and drivers’ license numbers.

The nub of the matter is that Vodaphone employees _and_ Vodafone dealers are given user ids and passwords that allow them to access the main user database. This makes sense, because they’d need to be able to see account details, so that they could provide support and sell upgrades, and for any number of legitimate reasons.

The problem is that any one of these passwords gives the password possessor full access to _all four million_ Vodafone accounts! And, not only that, but they can access it from anywhere on the Internet.

That makes these passwords extremely valuable to criminals and would-be criminals. I have no idea how many Vodafone employees and dealers there are, but the number is likely in the thousands. 

That’s an awful lot of potential targets for the Bad Guys. Put another way, everyone understands that a chain is only as strong as its weakest link, and that’s an awful long chain.

One’s mind wanders and wonders how many other businesses have a similar model, and therefore, how many other shoes are waiting to drop.

Keep safe folks,

Roger