Vodafone Australia will have to significantly improve its processes for verifying the identity of prepaid mobile customers under an enforceable undertaking accepted by the Australian Communications and Media Authority (ACMA).
This follows an ACMA investigation that found the company failed to verify the identity of at least 1,028 customers before activating their prepaid mobile services.
The ‘Telecommunications (Service Provider – Identity Checks for Prepaid Mobile Carriage Services) Determination 2017’ requires all telcos to verify the identity of customers of prepaid mobile services before activating their services.
“Verifying the identity of prepaid mobile customers helps law enforcement and national security agencies obtain accurate information about the identity of customers for the purposes of their investigations,” said ACMA Acting Chair, James Cameron.
The breaches occurred between 6 January 2015 and 6 January 2016. They resulted from changes to Vodafone’s IT systems that allowed customers to self-select online that their identity had been verified in store, without any further check that this had actually occurred.
“Telcos must check that changes to their IT systems don’t run the risk of contravening legal requirements,” Mr. Cameron added.
The court-enforceable undertaking commits Vodafone to conduct a review and risk assessment of any future proposed changes to its systems and processes, instigate training programs, conduct compliance audits every six months and report to the ACMA.
The privacy of individuals is protected under the ACMA by requiring that mobile providers only obtain the minimum amount of information reasonably necessary to verify identity.