Unauthorised tapping into or hacking of mobile communications - Home Affairs Committee Contents

4 The role of the mobile phone companies

96.  To date in the various parliamentary, police and media inquiries into phone hacking, there has been little focus on the role of the mobile phone companies in advising customers on security, protecting the data of their customers, and in notifying customers of any suspected breaches of security or data protection.

97.  We were aware that the few possible victims of hacking by Mr Mulcaire already firmly identified by April this year had been customers of three leading mobile phone companies: O2, Vodafone, and the joint venture between Orange UK and T-Mobile UK which is called 'everything everywhere' (because these names are more familiar, we use the form 'Orange UK/T-Mobile UK' for the joint venture in this Report). We also received some information from 'Three' describing its security procedures relating to voicemail, but since—as of 8 June 2011—it had had no indication that any of its customers had been victims of hacking, we did not pursue more detailed inquiries with that company.

How the hacking was done

98.  Mobile phone companies have for some years offered the service to customers of being able to access their voicemails either from their own handsets or, using a PIN number, from another phone. In order to carry out his operations, Mr Mulcaire had to obtain the mobile phone numbers and the voicemail pin numbers of his quarry. In 2005-06, there were considerable variations between mobile phone companies in the ease of accessing voicemails. Handsets often came with a default PIN number for accessing voicemail and, it has been suggested, many of the victims may not have changed the standard default settings on their phones. Hackers knew that there were a limited number of default numbers and could at least try those first. O2 told us that before 2006 customers could use the default number for access and were not required to register a personal voicemail PIN; Vodafone's system seems to have been similar as it said that prior to 2006 customers were "able to" (not 'required' to) change their voicemail PIN to a number of their choosing; default PINs were removed on T-Mobile in 2002 and had never existed on Orange, so from 2002 onwards customers of both companies were unable to access voicemail remotely without a personal PIN. [80]

99.  In oral evidence in September 2010, AC Yates said: "When the investigation started in 2006, it was a catalyst for the service providers to provide proper direct and more prescriptive security advice rather than what most people did in the past, which is leave their PIN number as the factory setting."[81]

100.  In some circumstances, even when a customer had set a personal PIN number but forgotten this, it was possible to ask the phone company to reset the PIN to default or a temporary PIN number, if the person requesting it passed security checks such as the provision of registered personal information.[82] Unfortunately, this sort of information is often easy for a hacker to guess or ascertain if the customer is well known.

101.  However, given DAC Akers's evidence that about 400 unique voicemail numbers were rung from Mr Mulcaire's, Mr Goodman's or News of the World hub phones,[83] it is possible that Mr Mulcaire obtained some of the information he needed for hacking from the mobile companies by either pretending to be someone with a legitimate right to the information or by bribing an employee for information. We therefore tried to discover whether phone company staff may have had access to personal PIN numbers, which they may have been either deceived or bribed into passing on.

102.  O2 said that staff did not have access to customers' personal voicemail PIN numbers even before 2006.[84] Vodafone UK told us that personal PINs were held on an encrypted platform which had always been inaccessible to its staff.[85] Orange UK/T-Mobile UK said that the voicemail PIN was not stored in any readable format within either T-Mobile or Orange UK "and therefore we do not consider it possible for anyone to obtain a customer's unique PIN via our systems."[86] However, Orange UK/T-Mobile UK noted that Customer Service Advisers may change PIN numbers at the request of customers who have, for example, lost their phones. Whilst customers may subsequently change the number again through their own handset, unless and until they do so the Customer Service Adviser knows their PIN.[87]

103.  Of the three mobile companies which we knew had had customers identified as possible hacking victims of Mr Mulcaire, only one directly answered our question: Did you carry out any investigation to discover how Mr Mulcaire had obtained access to customers' PIN numbers? Vodafone told us: "Yes. ... it appears that attempts may have been made by an individual/individuals to obtain certain customer voicemail box numbers and/or PIN resets from Vodafone personnel by falsely assuming the identity of someone with the requisite authority (such as the relevant customer)."

104.  In his Adjournment Debate on Mobile Communications (Interception) on 10 March 2011, Mr Chris Bryant MP said: "There is clear evidence that in some cases rogue staff members [of mobile phone companies] sold information to investigators and reporters."[88] We attempted to discover whether that may have happened in this case. We asked: 'Were any members of your staff disciplined followed the release of PIN numbers; and, if so, how many?' Vodafone replied that, given it was not clear exactly how many and which of its customers had been affected by the Mulcaire case, and given the nature of the deception that may have been practised on its staff, it was not in a position to investigate the matter, let alone discipline anyone.[89] O2 said: "We found no evidence to suggest that any of our staff disclosed PIN numbers (which is consistent with our investigation that found that voicemails were accessed through use of the default PIN number). No employee, therefore, was disciplined."[90] Orange UK/T-Mobile UK said: "We have no evidence of any Orange UK or T-Mobile UK staff involvement related to this hacking incident therefore there was no requirement to take disciplinary action. Importantly, the systems we operate mean that individual staff members do not have access to a customer's PIN number. They would only ever know the PIN number when a temporary PIN is issued ... and this would only be done when the customer had successfully passed through our security process to verify their identity."[91]

105.  We note that, despite these protections, each of the companies had identified about 40 customers whose voicemails appeared to have been accessed by Mr Mulcaire. We also note that all three companies have disciplined or dismissed employees for unauthorised disclosure of customer information in the last ten years,[92] though there is no indication that any of these employees was linked to this case.

Measures taken since to deter hacking

106.  In his evidence to us, Mr Bryant was asked what mobile phone companies should do to protect their customers' privacy better. He replied:

I think they need stronger internal mechanisms to make sure that PIN numbers aren't available to be handed out by somebody when ringing into a mobile phone company. I think all the phone companies should adopt the same processes as well because people do often change from one company to another. I think it would be a good idea if they always notified somebody when there was any doubt about whether their phone was being accessed illegally, which is not the policy of all the mobile companies at the moment. Some of them do it and some of them don't, which is why, for instance, in my case I rang Orange and found out seven years after the occasion that my phone had been accessed back in 2003.[93]

107.  Very soon after the police began their inquiry into Mr Mulcaire, and arguably as a result of that investigation, the mobile phone companies reviewed and changed the way in which they allowed customers to access their voicemails remotely (ie not from their own handsets). Whereas previously Vodafone's customers had been able to contact Customer Services to request that the PIN number be manually reset to a number of their choice, Vodafone tightened up the operation by providing that new PIN numbers could be issued only via SMS message direct to the customer's own handset. Vodafone also subsequently installed a new, more secure voicemail platform, with additional procedures in place to warn customers in the event of unsuccessful remote attempts at access.[94] O2 changed its voicemail service so that customers cannot access their voicemails remotely at all unless they have registered a personalised PIN number.[95]

108.  When he was asked what more mobile phone companies should be doing to improve security, the Information Commissioner highlighted a lack of information for the public:

I wish they were a bit noisier about advising their customers on how they can keep their information secure. It is a general point, I think. There are responsibilities on communication service providers and internet service providers, and there are also things that individual consumers and citizens can do, but you kind of have to be told about them to know what it is you can do. We recently did some survey work and found that a very high proportion of people had no idea whether their home wi-fi was passworded or not. That is a pretty basic step. I wonder how many of us are very, very careful to password protect our mobile phones, not just the voicemail mailbox but also the machine itself, the device itself. I would like the mobile phone operators to be much louder in their advice to customers saying, "Look, your Smartphone, your iPhone, it's a wonderful thing, you can do fantastic things on it but there's a downside. Be careful, make sure you've set appropriate permissions, make sure you've set appropriate passwords." That should not be in the small print of some agreement written in lawyer-speak that nobody can understand; it should up front, user-friendly advice.[96]

109.  However, he considered that the situation was improving:

I have found that the mobile phone companies are getting much better at this. I have been invited to give presentations to global privacy conferences by two of our leading mobile providers recently. They really are interested. The reason they are interested is, I think, they have got that we are now beyond the stage of kiddies in the sweet shop bowled over by the wonders of what we can see; we are a bit more questioning. .... There is a commercial reason for treating customers with respect.[97]

110.  As mentioned above, the Information Commissioner also explained that, under the new Privacy and Electronic Communications Regulations which came into effect on 25 May 2011, from now on any data controller, including a mobile phone company, which becomes aware that data security has been breached must inform its customers of this.

111.  We welcome the measures taken so far to increase the security of mobile communications. However, with hackers constantly developing new techniques and approaches, companies must remain alert. In particular, it is inevitable that companies will think it in their interest not to make using technology too difficult or fiddly for their customers, so do not give as much prominence to the need to make full use of all safety features as they should do. We would like to see security advice given as great prominence as information about new and special features in the information provided when customers purchase new mobile communication devices.

Notifying the victims

112.  Mr Peter Clarke told us that he had established a strategy for informing the potential victims of Mr Mulcaire's hacking, with the police contacting certain categories of potential victim and the mobile phone companies identifying and informing others to see if they wanted to contact the police. He had not been aware that this had not worked.

113.  We were told that from an early stage the investigation team were in close contact with, and had co-operation from, all the main mobile phone service providers. This was supplemented by communication via the Mobile Industry Crime Action Forum and its Chair. However, whilst each of the companies was well aware of the investigation, only one of those from whom we took evidence (O2) actually took the step of contacting their customers at the time to inform them that their voicemail messages might have been intercepted. It is worth setting out their reasoning in full.

114.  O2 said that, when they had checked with the police that this would not interfere with the investigation: "As soon as the above customers were identified, we contacted the vast majority by telephone to alert them that there may have been a breach of data. There were a small number of customers who were members of a concierge service that were contacted directly by that service rather than O2. There were also a small number of customers that the Police contacted directly for security reasons;" and "We informed the customers that they were potential targets for voicemail interception and changed their voicemail PIN numbers. We also offered to put them in touch with the Metropolitan police, if they wished to discuss this matter with the investigation team."[98]

115.  Vodafone's response to the investigation was less direct: "mindful of the need to avoid undermining the ongoing Police investigation and/or jeopardising any subsequent prosecutions, Vodafone sought to contact the above customers in August 2006 to remind them to be vigilant with their voicemail security."[99]

116.  Orange UK and T-Mobile UK at first told us: "We have not had any cause to suspect that particular mailboxes have been unlawfully accessed, and accordingly we have not needed to notify the relevant customers."[100] They subsequently explained that they considered it inappropriate to take any action in respect of their customers: " as any direct contact with customers could jeopardise the ongoing Police investigation and prejudice any subsequent trial. This is our standard approach when assisting in police investigations."[101]

117.  Clearly, Mr Clarke's strategy for informing victims broke down completely and very early in the process. It seems impossible now to discover what went wrong in 2006. Some of the mobile companies blamed police inaction: both Vodafone and Orange UK/T-Mobile UK said that the police had not told them to contact their customers until November 2010. AC Yates accepted that some of the correspondence between the police and the companies had not been followed up properly.[102] However, the companies cannot escape criticism completely. Neither Vodafone nor Orange UK/T-Mobile UK showed the initiative of O2 in asking the police whether such contact would interfere with investigations (and O2 told us that they were given clearance to contact their customers only ten days or so after being informed of the existence of the investigation). Nor did either company check whether the investigation had been completed later. They handed over data to the police, Vodafone at least sent out generalised reminders about security (Orange UK/T-Mobile UK may not even have done that), they tightened their procedures, but they made no effort to contact the customers affected.

118.  We find this failure of care to their customers astonishing, not least because all the companies told us that they had good working relationships with the police on the many occasions on which the police have to seek information from them to help in their inquiries.

119.  The police appear to have been completely unaware that few of the potential victims of the crime had been alerted. When we asked AC Yates in September 2010 whether possible hacking victims had been notified, he replied: "Where we believe there is the possibility someone may have been hacked, we believe we have taken all reasonable steps with the service providers, because they have a responsibility here as well, and we think we have done all that is reasonable but we will continue to review it as we go along." In response to the question "What are these reasonable steps?" he said: "Speaking to them or ensuring the phone company has spoken to them. It is those sort of steps."[103]

120.  We are reassured now that DAC Akers's investigation is setting this matter to rights by contacting all victims or potential victims. However, we were alarmed that Mr Chris Bryant MP told the House of Commons in March this year:

When I asked Orange yesterday whether it would notify a client if their phone was hacked into now, it said it did not know. However, I understand that today it believes that in certain circumstances it might notify a client. I believe that in every such circumstance the client should be notified when there has been a problem. All that suggests a rather slapdash approach towards the security of mobile telephony.[104]

121.  We expect that this situation will be improved by the coming into force of the new Privacy and Electronic Communications Regulations, which provide that when companies discover a breach of data security, they have to notify not only the Information Commissioner but also their affected customers.[105]

122.  This inquiry has changed significantly in its remit and relevance as it has progressed, and further developments are occurring on a regular basis. We expect that further discoveries will go beyond our present state of knowledge. Our Report is based on the information currently available, but we accept that we may have to return to this issue in the near future.

80   Ev142; Ev143; and Ev144 Back

81   Evidence taken before the Home Affairs Committee on 7 September 2011, Specialist Operations, HC 441-i, Q 26 Back

82   Ev142; and Ev140 Back

83   Ev156 Back

84   Ev142 Back

85   Ev143 Back

86   Ev140 Back

87   Ev144 Back

88   HC Debate, col 1171 Back

89   Ev139 Back

90   Ev138 Back

91   Ev140 Back

92   Ev142; Ev143; and Ev144 Back

93   Q 27  Back

94   Ev139 Back

95   Ev142 Back

96   Q 162  Back

97   Ibid. Back

98   Ev138 Back

99   Ev139 Back

100   Ev130 Back

101   Ev140 Back

102   Q 433 Back

103   Evidence taken before the Home Affairs Committee on 7 September 2011, Specialist Operations, HC 441-i, Qq 7-9 Back

104   HC Deb, 10 March 2011, col 1171 Back

105   Q 156 Back

previous page contents next page

© Parliamentary copyright 2011
Prepared 28 October 2011