The transcripts of the official inquiry into the culture, practices and ethics of the press. More…

  • MR JAMES BLENDIS (affirmed). MR ADRIAN GORHAM (sworn). MR MARK HUGHES (sworn).

  • Can I start, please, Mr Hughes, with you. Could you tell us the position that you hold and a little bit about your professional background, please?

  • Yes, sure. I'm currently head of fraud risk and security for Vodafone UK. I have been in that position since August 2011 and I've worked in the fraud risk and security department in Vodafone since October 2006.

  • Mr Gorham, if I could ask you the same question, please.

  • I'm the head of fraud and security for Telefonica O2, I've been in that role for ten years and have been in the industry for 13.

  • Vice-president for legal and regulatory affairs for Orange and T-Mobile. I've been in that position since the merger in 2010. Previously in a similar position for T-Mobile.

  • Thank you. I'm now going to ask each of you if the witness statement submitted either by yourself or by someone else from your organisation is true and correct to the best of your knowledge and belief. Mr Hughes?

  • Your witness statements deal with some matters of disclosure which I need not deal with now, and they also tell us a little bit about the approach that each of your companies has taken to voicemail security. It's that issue that I want to explore first of all. What I'm going to do is take you through a number of the issues and ask you what your company's approach is now and what it's been in the past. So can I start first of all, is the transmission of the actual voicemail encrypted?

  • Has that been the position since the introduction of digital transmission or is it more recent than that?

  • My understanding is it's been encrypted for the whole period of time from the introduction of digital. It's always been encrypted.

  • I believe that's the case, yes.

  • You're going to have to speak up and make sure that you're heard, because otherwise we won't pick up what you're saying. Thank you.

  • Can I now move to the question of default PIN numbers. It's common ground that all of you have systems in place to guard access to voicemail, which is governed by a PIN number. Is it right, Mr Hughes, that at one point in time Vodafone phones had a default PIN setting, so when the phone arrived, there would be a PIN which anyone would know until it was changed?

  • So 2001 and before, there was a default PIN setting on the Vodafone network.

  • And when was the change made?

  • In 2001. I'm not sure of the exact month, but it was in 2001.

  • What brought about that change?

  • I'm not sure exactly what triggered the change, but with any of our products and services, we're always looking at ways to improve the security, so what the trigger was I can't be sure now, but it was changed in 2001.

  • What was the position, please, Mr Gorham, at Telefonica O2?

  • We previously had a default PIN that was sent to customers and it was down to the customer if they wanted to change that default PIN or leave it at default and that was the case until 2005/2006 when we had the voicemail issue and it was at that point that that security was then enhanced.

  • Are you referring there to the well-publicised convictions of Mr Mulcaire and Mr Goodman?

  • Mr Blendis, can you tell us what the position has been at Orange and T-Mobile?

  • Orange has never had a default PIN. T-Mobile had default PIN prior to 2002, and that was taken away late 2002.

  • And what was the reason for taking it away in 2002?

  • I don't know precisely, but I can only imagine the feeling was that it would add to the security if there was no default PIN.

  • So just to understand this, and I think I've got the way in which it worked, this was a mechanism whereby people would listen to their messages from a remote telephone?

  • Because they can always get into their voicemail from their own mobile but if you wanted to dial in from a landline, you could pick it up?

  • And there had to be some distinguishing feature to make sure that you were getting your own messages, but of course if people just had the default number, then it was easy for that to be tried?

  • That's correct, yes.

  • Can I ask you, Mr Hughes, while we're on this subject, the Inquiry has heard evidence from Mr Nott, who says that he drew to Vodafone's attention the security vulnerability that existed from having a default PIN in the late 1990s, and indeed the Inquiry has had evidence that the matter was dealt with by Vodafone in a radio interview soon afterwards, at which time the advice was to change PIN number. Why didn't Vodafone do more back in the late 1990s when Mr Nott drew the problem to your company's attention and instead wait until 2001 to introduce a more secure system?

  • So the simple answer as to why is I don't know why that wasn't done at that point. The person that represented Vodafone at the time in the Radio 5 interview has sadly passed away some years ago, and in preparation for coming to this Inquiry we've tried to find people that perhaps would be aware of what was happening at that point, but we've been unable to do so.

    The default PIN setting, as you've heard, was pretty much an industry standard at that time and it was changed in 2001. Whether that was in relation to the claims -- the correct claims at the time of Mr Nott, I simply cannot be sure.

  • Can I ask now about what is sometimes referred to as temporary PINs, but they're PIN numbers which can be set by customer services departments if a customer rings in and asks for that to happen if they, for example, have forgotten their PIN number. Did Vodafone have a temporary PIN system?

  • At the time of the criminality that was happening in 2006, a customer could call through to a customer service agent, and once they'd authenticated by answering some specific personal credentials about themselves as a customer, which would include items such as the date of birth, the registered address, their postcode, et cetera, they would be able to ask the customer service agent to either (a) set up remote access to their voicemail, should they require it, and that would involve needing a PIN number, and the customer service agent would be able to set the PIN number to either a number of their choosing, which may be easily rememberable, or the customer could ask for the PIN number to be set up to a number that they choose. Conversely, if it was already set up, they could ask for the PIN to be reset and again the same criteria would apply.

  • Does that system remain in place or not?

  • It doesn't remain in place. That was changed when the criminality came out and we were aware of what the attack methods were. We made changes to take away from all of our customer service agents either visibility of the PIN or for the ability for them to be able to reset the PIN. We made changes to the system so that the customer would go through some guidance on the handset and the PIN number would be texted to the registered handset and SIM, and it would also reject any weak PINs, any double numbers, sequential numbers, to make sure that it was as secure as possible.

  • Mr Gorham, can I ask you to deal with the same issue, please, from the Telefonica O2 perspective?

  • Prior to 2005, if a customer contacted us, we could reset their PIN back to the default and then the customer could choose their new PIN. So at no stage would we know what the PIN actually was. We would purely reset it back to default and the customer could then change it. The same as with Vodafone, they would pass the security questions and validation.

    Since that date, what we now do is we actually send the new PIN number. So if they've locked their account out, if they can't get in, we will actually send the new PIN number to their mobile phone so they will receive a text with that new PIN number on, so again our staff are not aware of their actual specific PIN.

  • So customers who want to set up their voicemail will call customer services and they can put their own unique PIN on at that point in time, so if they do that, then it will be secure.

    We also now have a system where if somebody calls in in those circumstances to change the PIN, a text will be sent back to the phone so that the owner of the phone will see that that's been changed, so they'll be notified.

  • If that's the position now, was the historic position that your customer service people would know a PIN when it was changed or has the system that you've just outlined always been in place?

  • The PIN is not visible and never has been visible to the customer service agent in the system, so it's not stored in the system. They would know because of the conversation because they'd set the PIN at that time what that PIN was, but it wouldn't be stored.

  • That's always been the case.

  • Is that still the case now?

  • Does that mean there's still potentially a vulnerability if the member of staff is the subject of a successful -- I think the term is successful social engineering or blagging?

  • If somebody socially engineers the account and convinces the customer service agent and changes the PIN for their own purposes, a text will be sent back to the customer phone, so the customer, who obviously isn't the party that's blagging the account, would be notified.

  • How long has that automatic text notification been in place?

  • That's since 2006, that's a change that we've put in place.

  • Was that again because of the exposure in 2006 of illegal activity?

  • Yes. I think it's fair to say that security has always been important to us. It's a significant issue for us, as it is for our customers, so we're always looking to improve that. That was an initiative we put in place in 2006 and we have a new raft of initiatives coming through that will make further improvements going forward.

  • Is the default -- and I don't want to expose your security to scrutiny -- but is the default a complex or is the number complex or can it be straightforward? I appreciate you'll reject 1111, but for some security devices it has to be a combination of capitals and lower case and numbers and symbols. I'm sure you understand. Is it a straightforward number or can you make it more complex?

  • In our case, it's a four digit number is the default, but until the customer has changed that to their own unique number, they cannot use the voicemail facility.

  • So the customer has to go in and has to actually put a unique number in before they can use the voicemail service.

  • As part of our changes, we would actually restrict what we call easily guessable PINs. So you wouldn't be allowed a PIN that was say 0000 or 1234. So the enhanced security we're putting in place will hopefully close that down as well.

  • That's the same for Vodafone.

  • Of course, you could choose your birthday, and your computer won't know the birthday of your customer.

  • Our customer service agents are now being trained specifically on this issue, so there's a heightened awareness with our customer service agents. We also have training specifically for blagging. So they would know not to allow a customer to put their date of birth, and if there was a suspicion of that, if it was 1971, for example, then they would probably say, "Is that your date of birth? Could you select something more secure?"

  • Mr Gorham, could you help us with the position at O2 with easily guessable PINs? We've heard from the other two witnesses that they do now have systems in place to prevent them. Does O2?

  • Again the same for us. The easily guessable numbers we don't actually have PINs that you can use that relate to those numbers.

  • And in terms of educating users, which Mr Blendis touched upon a moment ago, perhaps I could ask Mr Hughes what steps is Vodafone taking at the moment to educate users to change PINs and to look out for signs of unlawful interception?

  • Anyone in our call centre environment who deals with customer information, we provide them with a level of training and guidance to make sure, as with the other networks that we've heard from, that they're aware of the types of attacks that can happen and the types of, you know, as you've put it blagging that can happen and that they've got an awareness to make sure that they can deal with that.

    The other thing we try and make our customers aware of is the PINs themselves, because, as you say, if they put a date of birth, the system may not know that and it may not be to the system an easy guessable PIN, it's really important that we keep the messages going to our clients that they should treat any PIN numbers that they set up on the mobile communications network exactly as they would with their banking credentials and they must keep them secure, whether they're default or not. If the pass may have been online, they must keep their PIN numbers secure.

  • We have comprehensive training for our staff when they join the business. They do computer based training and part of that takes them through social engineering and explains how it can happen, how we can help prevent it. We also do mystery shopping on our staff, so we actually have an organisation that tries to blag information out of our staff, so we can continually learn what new MOs are and how we can better protect our customers. And we do roadshows for our people. So there's continued training.

    Exactly the same with our customers. We give information, it's on our portal, we have guru sort of video clips to try and explain to customers how they can actually keep their messages secure and what they can do to protect their own information.

  • The only thing I'd add to that is we also now have a process where if a customer service agent suspects that they're not talking to the genuine customer, they have a process whereby they will call the customer. So if they can go through a conversation, terminate the call, call the customer back. If it's a blagger, they're usually not calling from the handset, so the customer would get a call back to the handset to warn them or check that it was them. We think that will hopefully close down as far as we can the problem of social engineering.

  • Can I ask now about what happens when somebody enters the wrong PIN repeatedly, at what point there's an automatic lockdown of the account. Mr Hughes, what's the position at Vodafone now?

  • As soon as we made the changes in 2006, one of the other features that we brought in was to ensure that if anybody tries to dial the unique voicemail number of the customer remotely, so not from the handset, and they enter even one wrong digit, they make one mistake in entering that PIN, a text message is sent to the registered handset and SIM of that customer account which says something along the lines of, "An unsuccessful attempt has been made to listen to your voicemail remotely. Please contact a member of our customer services team immediately if this was not you."

  • What's the position at O2 please?

  • After three unsuccessful attempts to get into the voicemail box, your voicemail box is locked, which means it can't be accessed for a period of 30 minutes. At the same time, a new PIN is sent to the actual registered handset, so the customer then will receive a new PIN number that they must use to access their voicemail, then they have to reset their own PIN again.

  • How long has that system been in place?

  • That's been in place since 2006, following the inquiry.

  • Yes, similar system. If there are three unsuccessful attempts, then the voicemail will block and they would have to call into customer services to reset it and go through security checks.

  • How long has that been the case?

  • That's always been the case on Orange.

  • And on T-Mobile?

  • On T-Mobile it will drop, so after three unsuccessful attempts it will disconnect and there will then be a 30 minute gap and they will be able to retry after that. We are trying to align the systems, so we have a complete new voicemail platform that's intended to deal with a lot of these issues and align the systems.

  • Is the owner of the account notified of unsuccessful attempts on the T-Mobile accounts or is that a matter which needs tightening up?

  • I think that's something that's in the process to align the two brands. I don't think that's the case currently.

  • Can I ask now about when there are multiple simultaneous attempts to access a voicemail? Is there any automatic lock-out procedure in that event on Vodafone accounts?

  • I'm not sure, I'd have to check that and write to you separately.

  • It would be the same as my previous answer. Once there's been three attempts, the account would lock.

  • So it doesn't matter --

  • It doesn't matter where they come from.

  • I'm asking now about two simultaneous attempts.

  • It would count those as two, I believe. I'd have to check and come back.

  • I know that's part of the new platform, so that will prevent that from happening going forward. You won't be able to have dual access to the same box.

  • Now a question which your evidence may already have answered. I was going to explore whether the number of digits in the PIN is important, because presumably the smaller the number of digits, if you keep trying, you'll eventually get there. Does it mean because of your automated lockout procedures that you don't regard a large number of digits in the PIN as really necessary?

  • I think if you compare it to perhaps the financial industry and people's cash cards are four-digit PINs, I don't know exactly how many thousands of combinations there are, but I think from all of our perspectives, certainly from Vodafone, one wrong key press of that PIN is going to send an alert to the customer.

  • Is that how many there are?

  • I would have thought so, but rather fewer than that if you exclude 111 and 0000.

  • Does anybody see an issue with the number of digits?

  • No, I think the number of digits, four, is the same as you would have with a banking card and everything. I think the challenge is getting customers to use those numbers and pick PINs that are not easily guessable.

  • I think also to be fair customers want a balance between usability and security, so if you tell them they have to have a ten digit PIN number to get into their voicemail, they'll find it quite difficult.

  • Yes, I have a system that I have to change the number every three months and the problem of course then is remembering what it is at the relevant time. So I see the problem.

  • Mr Blendis, you've already touched on future developments at Orange and T-Mobile. Can I ask each of you more generally about whether you think, accepting what you've already said, there is anything further that can be done and in particular whether there is anything actually in the pipeline. Mr Hughes?

  • Yes, so we're always looking at ways that we can improve our security. It's very much my job to do that. From a customer authentication perspective, we're looking at some future technical enhancements, what you could do, probably in the areas of things like voice biometrics, which would be the digital reading of the actual customer as they call in, which is something we're looking into for sort of future deployments on the Vodafone network.

  • Similar to ourselves, there's lots of things in the future that may come along and be technology solutions. What we just have to be careful of is they still give customers the usability, that they actually want to use our products and services.

    Also at international level with the GSM Association, I believe next Monday, Tuesday, they're issuing a new standard on voicemail security, put together by all the operators, so that will try and get more of a basis for security across the industry.

  • As I said, we have a new voicemail platform that we're putting in place which should actually be complete in the next few months and that will have a number of enhanced features. The real problem is the unauthorised access, so every time the voicemail box is accessed remotely, a text will be sent back to the customer, so if that is somebody that's trying to hack, the customer will be alerted. We'll actually also give customers the option to switch off remote access. If they don't use it and don't want it, we'll enable them to switch that off so they can't be hacked, essentially.

  • Of course that works also if you have the PIN number before you access the box. Because I think one of your companies says until you've actually put in your own unique number, you can't access the voicemail. So if you never do put in a number, you simply will never have access to a voicemail.

  • That's true, but somebody can still guess the number. So yes, you're right, unless you set it up. But it's the people that set it up and then want to disconnect it, they'll be able to do that.

  • Mr Hughes, can I ask you about the letter that Vodafone sent to the Inquiry on 26 January. In that letter, Vodafone very properly drew the Inquiry's attention to an exception to the general changes which you've been telling us took place around 2006. I understand from that letter that there was a specific system, which at its peak had 300,000 users, called Vodafone Mail, which was not subject to the tightenings of security which you have outlined to us and that was overlooked and was only relatively recently discovered and put right. You tell us things were put right in June 2010; is that right?

  • On the Vodafone Mail system, a user could dial 242 from their mobile handset to collect messages. Could they dial 242 to collect messages remotely?

  • I'd have to check that. I'm not entirely sure.

  • But they could certainly check remotely simply by using a PIN number and using a default PIN number?

  • Yes. So the system itself accounted for about 1 per cent of our customer base. The platform was due to be decommissioned actually around the time of the activity coming to light. However, you could have -- with the changes I outlined on the main platform, you could still in theory have phoned through to a customer service agent, you still have to authenticate, but then you would be able to ask the customer service agent to reset the PIN on that specific service.

    The action we did take at the time was that we took away the ability for the vast majority of our customer service agents to be able to reset the PIN and we limited that to a very small number of customer service managers that we had in our call centre environment to try and address that specific issue, but as you rightly said, it wasn't decommissioned fully until around about 2010, that's correct.

  • Does Vodafone know whether or not there were any losses of confidential data from Vodafone Mail?

  • What we have done in all of our contacts with the Operation Weeting team at the Metropolitan Police is check that any of what we now know to be the confirmed victims were ever a member of the Vodafone Mail service, and I'm happy to say that they weren't.

  • It's plain, if I may say so, gentlemen, that your respective companies have taken significant action from about the middle of the last decade, when this issue received a lot of prominence and was the subject of high profile criminal proceedings. But it's the position that the Inquiry has heard evidence that these security vulnerabilities were known about in general terms and publicised long before that, not least through the publicity generated in the media by Mr Nott, and his story was picked up in a number of places.

    So I'd like to ask each of you in turn, and I'll start with Mr Blendis, why the industry didn't react more quickly than it has.

  • I have to be honest, I don't know what our knowledge was of Mr Nott at that time. That was a long time before the scandal erupted around the Mulcaire hacking. I think we have reacted quickly, and I think we always have a continuous programme of improvement. Security has always been a priority for us. It's important for our customers so it's important for us, not just in relation to voicemail hacking but across the whole spectrum of services.

    We have a programme of enhancements on security generally to make sure that information is contained, that it's only kept with people that need to hold that information and the access is limited, and also that if there are suspicions that people within our business can disclose data, that that is restricted as far as we can. So people within our business now can't download information onto data sticks, they can't send large files by email. These are very restrictive operations within the business, but we have reacted and we have done our best to enhance that because it's important for our customers.

  • Mr Gorham, why wasn't more done earlier?

  • I wasn't aware of the Mr Nott case prior to 2005/2006. We certainly were not aware of the weakness that was being exploited within the voicemail platforms prior to the investigation. That was completely news to us and I believe to the industry, and it was at that point that we then went up to the next level of security by taking away some of the features that customers had, so we took that decision away from customers when we found out it was being abused. But prior to that, I had no evidence that voicemail was being abused in any way.

  • I think I've already asked you about Mr Nott, so I won't repeat that question. Can you help me more generally with why Vodafone didn't act before it did?

  • I think when you look back through the time line now of the issues that were changed in 2001 around default PIN settings across all the network providers, when this other issue of blagging or social engineering came to light, the networks, the industry made changes again to increase security, and I think building on what O2 have said, I think generally when you look at criminality right the way across the communications sector, whatever way it's happening, whether it be the issue of blagging, whether it be the theft of mobile phones, whether it be the theft of metals, we actually, you may be surprised to learn, collaborate quite a lot in the security arena. It's not necessarily a competitive area for us, so we'll meet regularly to make sure that all of us have the best security that we can and we share ideas to protect our customers right the way across the industry.

  • I'm delighted to hear that.

  • I'm going to move now and deal more shortly with the interception of conversations. It's well-known that a long time ago an analogue conversation was intercepted and hit the headlines in the newspapers. Is it right as a general proposition that intercepting mobile phone conversations is now a lot more difficult than it used to be?

  • I think it's very difficult. The encryption that we all replace from the point at which the customer makes a call from their handset and where it transmits through the air to the technology infrastructure that it needs to, it's all encrypted to a very specific standard with all sorts of difficult algorithms applied to it.

    I think it's certainly reasonable to say it is possible to do that. Doing it live, which is I think what you're alluding to, is incredibly difficult technically. You would have to have a lot of technical skill to do it, and you'd have to have significant financial resources behind you to buy the equipment in order to do it. Of course, it's illegal and I think carries a custodial sentence under RIPA.

  • Does anyone disagree with that answer?

  • (Witness shook their heads)

    As far as you're aware, is the interception of conversations, whether live or ex post facto, a significant issue?

  • Can we move to blagging and we've touched on this to some extent in your answers already about what staff have access to, particularly you've told us about PINs. Can staff have access to location data, where calls are made from? Mr Hughes, I'll start with you.

  • No, not readily. We give our customer service agents the details they would need to help with any type of customer query. I suppose this will be specifically around -- usually around billing queries. We'd make that sort of information available.

    Location information is incredibly sensitive, so we make sure there are only a very few specific areas that have the need to have access to location details and the sorts of areas I'm thinking about in my organisation would be the areas in which we're obligated to share communications data with the police and the authorities to help with their investigations. It's very much ring-fenced to make sure that that information is kept as absolutely secure as possible.

  • Has that always been the case or is that as a result of a tightening up of security?

  • It's always been the case to the best of my knowledge.

  • Can you give us some idea about the number of employees which Vodafone has who would have access to location data, in rough terms?

  • The wider organisation I have to check. I'm thinking about my own remit and responsibilities in the area that I've outlined and that would include around about 15 people.

  • Mr Gorham, what's the position with O2 so far as location data is concerned?

  • Our customer service staff have access to your billing information, the calls that you've made, but they certainly wouldn't have access to the location of your phone, that's an access they don't have and never would have had. There are people in the organisation, the same as Vodafone, we have had the police disclosure team and they need to have access for requests we get from the police for location, life at risk cases. There's also some of our engineering staff that have access to that data if a customer is having problems on the network making calls, they may want to identify what cell site they're on, so those kinds of people.

    I'd have to write to the committee to give you an idea of the numbers of staff that would probably have access. I suspect it would be about 50 but I don't have first-hand knowledge of that.

  • Again, customer service agents wouldn't have access to specific location information, for example PIN type information. That's very restricted. It's within a specific police liaison team within our organisation that sits in my team. There's about 20 people in each of the Orange and T-Mobile organisations.

  • How long has that restrictive approach to showing location data been in place?

  • That's always been the case.

  • I'm getting the sense though that call data generally, who a person has been calling, is available to your customer services operators of necessity, so that they can deal with legitimate enquiries. Is there anything that can be done to prevent a blagger trying to obtain data about who a person has been calling, for example a blagger who wants to know if X has been calling a suspected lover or something like that?

  • From the Vodafone perspective, we'd only ever assist a customer with details about their own mobile phone activity in the numbers that belong to them and that's their outgoing calls. So we would never considering answering any question for anyone other than themselves.

    I think in general terms around authentication of the customer, the important thing is that when the customer service agent has the call put through, that we've done enough to make sure that we've -- beyond reasonable doubt, if you like, we can be sure we're talking to the right person, either the customer or someone who is registered to the account, and that's what we need to make sure is the case for our customer service agents, who are there in place to help our customers.

  • Same for us. When a customer contacts us, we ask customers to have a password on their account which they need to get correct before we have a discussion with them. If they don't have the password or have forgotten it, we will go through a number of security questions to try and validate who they are, and we will vary those questions. So they will change to try and give us that confidence.

    The challenge, as I'm sure you appreciate, is we have about 35 million calls every year into customer services, 23 million customers. The opportunities that social engineering occurs is very, very rarely and it's very difficult to defend somebody who may have already stolen an individual's personal identity and is using that to trick that confidence at that stage.

  • It's a similar position, customer services agents would only supply billing data to the genuine customer. We recognise that we need to do more to make customer service agents aware of blagging, so we have a training programme running out, we have videos that they watch that shows examples of how it's done. We're encouraging customer services to move away from the traditional what are probably easier questions so that they will ask more rigorous questions that they know only the customer would have access to that information.

  • I picked up from the Vodafone information that there's now a duty to report suspected data breaches at Vodafone. Is that the same in O2?

  • I see you nodding, is that the same --

  • -- for Everything Everywhere? Do you all have whistle-blowing policies to protect whistle-blowers who come forward?

  • Can I ask you what your experience has been in terms of attempts to socially engineer information from your organisations? Mr Hughes, can you give us an idea of how many of your staff have had to be the subject of disciplinary proceedings for that sort of issue?

  • Certainly. From the records that I've looked at in preparation for helping the Inquiry today, we go back to 2009, which is as far as back as I can see from an investigations perspective. Whether it be the accidental disclosure of personal data -- and I'd like to add none of this information is in relation to voicemail hacking but the wider issue of customer personal data -- so whether it be the accidental leakage of customer personal data or whether it be a malicious attempt to remove personal data from the company, I believe we've had 13 investigations which have resulted in either some kind of disciplinary warning or a dismissal from the organisation.

  • Mr Gorham, can you --

  • My evidence is the same as we supplied back to the committee. So since 2003 we've had 54 staff who have either been disciplined, prosecuted or dismissed for cases relating to breaches of data security. That is not purely voicemail. That could be disclosing some billing information, looking at somebody's account that they weren't supposed to look at, but that's the total scale would be 54, and a number of those were investigated by our own investigators and are taken through to the criminal courts if it's believed to be appropriate and the evidence is there to substantiate.

  • So the number of people that have been dismissed and prosecuted across both brands is four people in the last I think it is five years. We don't have records of other disciplinaries. We only know about those ones where we have initiated an investigation, contacted the police and those have actually led to the prosecution of those individuals.

  • Only the most serious of cases?

  • There will be other cases and those will be dealt with through our disciplinary procedures, but we don't have records of exactly how many cases.

  • We have in the bundle at tab 11 the response to a request for information from the Information Commissioner's office about data protection breaches by telecommunications companies. There is on the third page of that document a list of companies and the number of data protection breaches.

    All of your companies feature on that list. At the top is BT with 42, then Talk Talk with 12, Virgin Media with 20, O2 with 10, Orange with one, Three with two, Vodafone with 18, T-Mobile with six and Sky with 10, and that's for the period between 1 April 2008 and 31 July 2011.

    On the face of it, those are concerning statistics. I'd like to ask you whether more can be done to protect personal data by your companies. Mr Hughes, I'll start with you, please.

  • Of course. Both privacy and security are put into everything that we do. In every product and service we bring to market, it's designed in from scratch. It's incredibly important. We recognise how important it is to our customers and our employees and that's why it's important to us. Yes, we have an obligation to supply details of the breaches to the Information Commissioner's office and the legislation may lay out certain penalties on all of our organisations in relation to data breaches, but certainly in terms of Vodafone, my security department is responsible for making sure that this doesn't happen and, when it does happen, any employee in the organisation, whether it be accidentally or done as a result of an inaction on that employee's behalf which has led to that breach or whether it be malicious, any of our employees should expect a very robust approach to that.

  • The ten cases here that refer to our organisation, they are investigated by our regulatory team and they are farmed out to my investigators if appropriate, or customer services if it involves them. We send reports back to the ICO and make recommendations on what we're going to do for improvement and we've had no further action taken against us on those cases.

    We strive continually to continue to protect our customers' data at that highest level, but a lot of these do tend to be fairly minor cases in the effect that they could be domestic situations, so you can get examples of where it's an employee and it's a relative, and it's very difficult to guard sometimes against those domestic situations that drive some of them, rather than these being major data breaches of large amounts of customer data.

  • For security, data security is a top priority for our business. It's a priority for the board, it's a priority for everyone who's working for products and services. We have a kind of three-point approach to data security. The first thing is just to cleanse information in business as far as we can to make sure we only hold data that's relevant and key to our services, so we narrow down the amount of information that we hold.

    The second thing is to make sure that access is only restricted to those that really need to see it, so we don't have large swathes of data sitting across the business for general access.

    The third thing is to ensure that that access can only be attained in limited circumstances, so it can't be sent by email, can't be downloaded onto data sticks, and that we hope will really narrow down the opportunity for people to breach those data security procedures.

    But as we've heard from the others, low level breaches will occur, and I think some of these notifications are partly, for example, where we've had a request for information from a customer, we have an obligation to provide that information, but we have failed to do so within the timeline. So we take it very seriously, but the volume of these is fairly low. They're not all major security breaches.

  • Can I move now to the cases of hacking which have emerged and which are being investigated by the police. In answering my next questions, please don't give any names, but what I would like to know is first of all whether you know how many or whether you have a current figure for how many of your customers have been the victims of voicemail interception. Mr Hughes?

  • Yes, so from the point at which we helped the police with their inquiry, we ran some checks. Would you like me to tell you the checks that we ran?

  • We were provided with two suspect landline numbers, which we now understand belong to News International, and we checked to see which unique voicemail numbers of our entire customer base had been contacted by these landline numbers. That produced us a report to say that there were 177 unique voicemail numbers that had been dialled. However, that doesn't suggest that there's 177 victims. What we needed the police to do was put their evidence and their pieces of the jigsaw together to come back with and confirm exactly who the victims were on the Vodafone network, and we understand that that investigation has now taken place and from our liaison with the police, we understand on the Vodafone network there are 40 victims.

  • What's the position at O2?

  • Back when the police investigation kicked off, yes, they came to us with a specific phone number where calls had been made into voicemail retrieval numbers. We did our own identification, we identified in the region of 40 customers that we believed may have had their accounts compromised. We passed that information back to the police and took the step of contacting those customers. So we contacted all our customers, informed them of what we could see on our network and we advised them at that stage about how they could enhance their voicemail security to stop any further attempts to listen to their messages.

  • Do you have a number?

  • Ours was 40, slightly under.

  • We had 45 customers that we identified on the Orange network. That's where the call-in number had accessed those 45 numbers and accessed the voicemail box, that was 45 on Orange, and on T-Mobile it was 71.

  • Can I move on to the question of communicating the facts of a breach of data security to the customer. Can we start with what the position is now. Has Vodafone informed any of its customers that their voicemails have been hacked?

  • Yes. In January 2012 we worked with the police and they told us that they were in a position to contact the customers on the Vodafone network and they wished to do so, so my understanding is that the police contacted the customers in January 2012 and we also did exactly the same thing.

  • We contacted all of our customers back at the time of the original Inquiry, so that was five years earlier when the original police investigation took place.

  • We contacted all of those customers in July 2011, so that was after we had received the information from the police that verified which were the victims of phone hacking. Up to that point, we didn't have that verification from the police.

  • Why wasn't it done earlier by Vodafone?

  • We were expressly told at the time of the investigation not to contact our customers as we may prejudice the police investigation. We're very experienced in working with the police, we help them make thousands of investigations a year, so the last thing we would want to do would be to trample on an investigation that the police were running. So that's why it wasn't done.

  • Was there any correspondence between your company and the police expressly dealing with this issue?

  • Yes. The correspondence that I have is that we received quite confusingly a letter in the October of 2010 from the Metropolitan Police requesting that we contact the Vodafone customers that were victims, and we had to point out -- we wrote back to them and pointed out that although we'd supplied the 177 unique voicemail numbers, we still had no clarity at all about who the actual victims were on the Vodafone network until the police put their pieces of the jigsaw together and told us that, so we never received a response to that communication, and the next communication that we had was when in late 2011 the police told us they were now in a position to be able to identify the victims on the Vodafone network, and as soon as they did that, we followed suit with contacting our customers immediately.

  • Was the lack of a response from the police back in 2010, October 2010, was that chased in the interim between October 2010 and the answer later in 2011?

  • I have no specific records I can draw upon to say that it was chased or how frequently it was. I know that throughout the whole period of the investigation when we were helping from 2006 to date, we fully co-operated with anything that we were asked to do in relation to the investigation, but whether it was specifically chased, I have nothing I can draw upon to be able to look at the --

  • I don't wish to suggest that in any way you haven't co-operated with the police, but can I ask you this. From your customers' point of view, would you accept that perhaps Vodafone should have been more proactive about liaising with the police to ensure that your customers could have been told at the earliest sensible opportunity?

  • What we did manage to agree with the police around the time the investigation was, they accepted that we could send out some generic voicemail security advice to customers within our organisation which would be perhaps more at risk, so people in the media, members of government, et cetera, so we were able to push out some communications, some general awareness communication to them at the time.

    Also, throughout the whole of the period of the investigation from 2006 right the way through until now, clearly it started to get into the media, so we did field a lot of calls from really concerned customers saying, "I'm worried about what's happened, have I been a victim?"

    As I've said previously, we would never be able to, with any level of clarity, without seeing that police evidence, confirm that they were a victim, but what we were able to do was see whether their information had been supplied to the police as part of the evidence bundle, and if it had, we informed them of that and asked them to then contact the police for more details.

    To answer your question sort of directly, I think with the benefit of hindsight it would be have been much better to have a level of clarity with the police much earlier so that we could tell our customers what the issue was.

  • Mr Blendis, we've heard that O2 notified their customers at an earlier stage than your companies.

  • Why didn't your companies do the same?

  • We were in a similar position, where we did not know that those customers were the victims of phone hacking, so we have a large number of callers that the hacker potentially called, and actually all we knew was that the call diverted to voicemail, so we don't even know at that stage whether they have then accessed the voicemail box, which would lead to potentially a presumption of hacking.

    So we did actually write to the police in November 2010 and we said, "We've given you all of the information that we have. If you can identify those customers that you believe were the victims of hacking, please tell us and we will contact those customers." We did that in November 2010.

  • And what response did you get?

  • We've had no response to that.

  • We didn't chase. I think in hindsight and I think now we would probably be much more proactive because I think we recognise and sympathise with customers that were hacked and we would really want them to know about that. So what we need to get to is circumstances where we have clarity where we're not prejudicing the investigation, where we're not, for example, tipping off the hackers themselves. So some of the numbers actually are the journalists at the News of the World, so what's likely is that there was some trial and error of the process, and I think it's highly likely that if we had simply contacted everyone that we had as a potential victim, we may well have tipped off those people.

  • Thank you. Those were all my questions.

  • I have no questions. Obviously you've been following the events as they've unfolded, and I have no doubt that each of your companies will do all that it can to minimise the risk of data loss and the consequent damage to the security of your customers. I have no doubt that you will. Thank you all very much for coming and for the response that you've given to my requests. Thank you.

  • Sir, the next witness is going to be Mr Imossi.