Vodafone’s Australian business has come under scrutiny by the media following the report of an alleged data security breach.
It appears that each store belonging to a Vodafone retailer, including its affiliates, has one password and user ID with which to gain access to the customer database. This is changed every 3 months. That means everyone working in that store uses the same password and user ID. Clearly this is not best practice. However once authenticated all employees have access to individual customers own personal PIN numbers required to access and manage their own accounts including credit card numbers. Again clearly a significant lack of common sense and also brings into question their PCI status.
However I am not going to dwell on the obvious. My observation is the following. How appropriate is a password refresh , every 3 months, in an industry where there can be a high turnover of staff?
This particular question ought to be examined as part of the projects own risk assessment and as part of the ongoing risk management within the business. However, in my experience, most strategic assessments of information security risks, just don’t go far enough.
Many information security consultants and internal security documents and procedures, refer to well circulated lists or templates of accepted threats. Only recently I spotted one of these lists whilst performing an ISO27001 Part 1 Gap analysis, including the spelling mistakes! However what is missing here is the context within which these threats, the business and society as a whole exist . This is where many risk assessments fail, where consultants fail their employers or clients and where business and personal reputations are damaged. Contextual understanding is for me what differentiates the thinking security consultants from those that do, no matter how good a job they “do”. External factors influence risk assessments. Political, economic, social and even industry specific trends and behaviour all effect threats and the likelihood of these occurring. In the case of Vodafone I am compelled to ask whether the high turnover of employees in the retail space was taken at all into consideration.
If you believe that your business could benefit from understanding more about contextual risk assessments please do get in contact.
If you found this post of interest leave a comment or pass it on to your friends and colleagues.