Vodafone and the Orange/T-Mobile joint venture Everything Everywhere have been accused by MPs of taking years to notify their customers that their voicemail accounts may have been hacked.
According to a report by the House of Commons Home Affairs Committee, three UK operators: Vodafone, O2 and Everything Everywhere, knew that some of their subscribers had been targeted by Glenn Mulcaire, a private investigator employed by News of the World.
Yet only O2 checked with police in 2006 to see if it could notify customers without interfering with a police investigation. O2 officials told the parliamentary committee the company received clearance to notify those affected within 10 days or so of learning that there was an investigation.
Police decided that, while the investigation was ongoing, Mulcaire’s victims should be notified of the intrusions either by police or by the network operators, according to the report. But a break-down in communications led police to assume that operators had contacted the affected customers, while two of the companies made no move to contact customers, believing that to do so would interfere with the investigation.
“Neither Vodafone nor Orange UK/T-Mobile UK showed the initiative of O2 in asking the police whether such contact would interfere with investigations,” the report said, “nor did either company check whether the investigation had been completed later.
“We find this failure of care to their customers astonishing, not least because all the companies told us that they had good working relationships with the police on the many occasions on which the police have to seek information from them to help in their inquiries,” the report said.
The criticism comes amid claims that anyone attempting to hack into voicemails today would be met with far greater security barriers.
In the UK, private investigators and journalists allegedly gained access to voicemail accounts for famous people often by dialling an operator’s dedicated voicemail line and then trying the default 4-digit PIN number assigned to the account.
That was successful as few of the victims changed the default PIN. And if they did change it, all too often it could be accessed by tricking a customer service representative at the operator into resetting the PIN to the default value.
By default, at least four of the five major operators in the UK: 3, T-Mobile, Vodafone and O2, block access to voicemail from anything other than the subscriber’s own phone.
To enable access from other devices, the subscriber must first set a PIN by dialling in from their own phone, closing off one of the major security errors that enabled mass hacking in the UK. Vodafone, Orange and T-Mobile also do not allow their subscribers to set lazy PINs, such as “1111” and “5678”.
