Vodafone officials were red-faced in January when they were informed by a journalist that she was able to log into the carrier's customer database using legitimate credentials. Australian Privacy Commissioner Timothy Pilgrim announced an investigation into the breach, and Vodafone warned customers of the problem and fired a number of employees in connection with the matter.
Vodafone said it acted quickly to shut down improper access. CEO Nigel Dews assured the public that Vodafone had changed passwords across the board and implemented more stringent password policies, including more frequent changes.
Account credential sharing is hardly a one-off problem in any big company, says Adam Bosnian, executive VP with Cyber-Ark Software, a security vendor. He's seen it most in retail environments, if turnover's high and there's no easy way to create and delete accounts when people join or leave the company. So companies take the efficient but "inherently risky" approach of just using generic, shared accounts, he says.
Password sharing can be particularly troublesome with databases accessed by Web applications, such as the one that powers Internet access to Vodafone's customer database, warns Phil Lieberman, CEO of Lieberman Software. "What happens is that there are certain high-powered accounts that are used by applications and also by users--call them 'generic accounts' because they end up being shared," he says.
One problem with such an account is there's no audit trail--you don't know if an app automatically accessed it, or a particular person did. Too many companies allow the practice to continue. IT staff in other companies could face the same fate as those at Vodafone who were fired should their sloppy practices be exposed.