The alleged Vodafone breach is a lesson for all companies holding sensitive information, according to industry commentators.
IP Payments sales and marketing manger, Dennis Pintamalli, said the breach could happen to any company that does not have payment card industry (PCI) compliance.
“A lot of companies know they need PCI compliance but the problem is some don’t,” he said. “This is because the process to become compliant can take two years if the company goes it alone.
“Companies that are proactive with this issue will negate a lot of the potential pitfalls and ensure a significant reduction in liability whilst protecting customers,”
IP Payments is an Australian company that provides PCI Compliance offerings to a number of customers including 20th Century Fox, Proctor and Gamble.
According to Pintamalli, similar data breaches have occurred in Australia.
“It’s happened in the past to banks but they don’t have to publicly disclose this,” he said. “The Vodafone case was unfortunate for them as it turned up in the media.”
Australian Privacy Foundation public officer, Nigel Waters, said Vodafone's alleged security lapses may involve breaches to both the Privacy Act and offences under the Telecommunications Act.
“We welcome the announcement by the Privacy Commissioner of an investigation,” Waters said.
“There are still a very large number of privacy complaints being handled by the Telecommunications Industry Ombudsman as a quicker and more effective route than the Privacy Commissioner, who has not used Privacy Act powers enough in the telco space.”
A Virgin Mobile spokeswoman said in a statement that the company takes customer security very seriously and has begun reviewing its security process.
“It would be silly not to review processes and go through them with a fine tooth comb in the wake of what has recently with Vodafone,” she said. “We at Virgin Mobile feel very confident that we take every step we can to protect the privacy of our customers.
“In our call centres and retail stores you cannot access customer’s personal details unless you have your own personal user name and password, and are at a physical computer that has the application installed on it at a secure location (i.e. stores and call centre).”
She said the company’s secure website has no search facility.
“You can only see the particular information that relates to the phone number and pin that you have entered, at no time could you see anyone else's details.”
In the event of a security breach, Virgin Mobile can reset the customers pin straight away once notified by the customer, she added.
An Optus spokesman said in a statement that it continually reviews and updates information security practices.
“We monitor our systems for potential security breaches and threats,” she said.
“While Optus believes the customer information it holds is adequately protected, we are conducting a review of our systems and processes to ensure our customers’ information is secure following reports of a breach of Vodafone’s systems.”
A Telstra spokesman did not say if the company was reviewing its security.
“We operate a security operation centre providing 24 hour security monitoring services for customers and have implemented appropriate protections to help keep our network safe,” he said in a statement.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU