4 The role of the mobile phone companies |
96. To date in the various parliamentary, police
and media inquiries into phone hacking, there has been little
focus on the role of the mobile phone companies in advising customers
on security, protecting the data of their customers, and in notifying
customers of any suspected breaches of security or data protection.
97. We were aware that the few possible victims
of hacking by Mr Mulcaire already firmly identified by April
this year had been customers of three leading mobile phone companies:
O2, Vodafone, and the joint venture between Orange UK and T-Mobile
UK which is called 'everything everywhere' (because these names
are more familiar, we use the form 'Orange UK/T-Mobile UK' for
the joint venture in this Report). We also received some information
from 'Three' describing its security procedures relating to voicemail,
but sinceas of 8 June 2011it had had no indication
that any of its customers had been victims of hacking, we did
not pursue more detailed inquiries with that company.
How the hacking was done
98. Mobile phone companies have for some years
offered the service to customers of being able to access their
voicemails either from their own handsets or, using a PIN number,
from another phone. In order to carry out his operations, Mr Mulcaire
had to obtain the mobile phone numbers and the voicemail pin numbers
of his quarry. In 2005-06, there were considerable variations
between mobile phone companies in the ease of accessing voicemails.
Handsets often came with a default PIN number for accessing voicemail
and, it has been suggested, many of the victims may not have changed
the standard default settings on their phones. Hackers knew that
there were a limited number of default numbers and could at least
try those first. O2 told us that before 2006 customers could use
the default number for access and were not required to register
a personal voicemail PIN; Vodafone's system seems to have been
similar as it said that prior to 2006 customers were "able
to" (not 'required' to) change their voicemail PIN to a number
of their choosing; default PINs were removed on T-Mobile in 2002
and had never existed on Orange, so from 2002 onwards customers
of both companies were unable to access voicemail remotely without
a personal PIN. 
99. In oral evidence in September 2010, AC Yates
said: "When the investigation started in 2006, it was a catalyst
for the service providers to provide proper direct and more prescriptive
security advice rather than what most people did in the past,
which is leave their PIN number as the factory setting."
100. In some circumstances, even when a customer
had set a personal PIN number but forgotten this, it was possible
to ask the phone company to reset the PIN to default or a temporary
PIN number, if the person requesting it passed security checks
such as the provision of registered personal information.
Unfortunately, this sort of information is often easy for a hacker
to guess or ascertain if the customer is well known.
101. However, given DAC Akers's evidence that
about 400 unique voicemail numbers were rung from Mr Mulcaire's,
Mr Goodman's or News of the World hub phones,
it is possible that Mr Mulcaire obtained some of the information
he needed for hacking from the mobile companies by either pretending
to be someone with a legitimate right to the information or by
bribing an employee for information. We therefore tried to discover
whether phone company staff may have had access to personal PIN
numbers, which they may have been either deceived or bribed into
102. O2 said that staff did not have access to
customers' personal voicemail PIN numbers even before 2006.
Vodafone UK told us that personal PINs were held on an encrypted
platform which had always been inaccessible to its staff.
Orange UK/T-Mobile UK said that the voicemail PIN was not stored
in any readable format within either T-Mobile or Orange UK "and
therefore we do not consider it possible for anyone to obtain
a customer's unique PIN via our systems."
However, Orange UK/T-Mobile UK noted that Customer Service Advisers
may change PIN numbers at the request of customers who have, for
example, lost their phones. Whilst customers may subsequently
change the number again through their own handset, unless and
until they do so the Customer Service Adviser knows their PIN.
103. Of the three mobile companies which we knew
had had customers identified as possible hacking victims of Mr
Mulcaire, only one directly answered our question: Did you carry
out any investigation to discover how Mr Mulcaire had obtained
access to customers' PIN numbers? Vodafone told us: "Yes.
... it appears that attempts may have been made by an individual/individuals
to obtain certain customer voicemail box numbers and/or PIN resets
from Vodafone personnel by falsely assuming the identity of someone
with the requisite authority (such as the relevant customer)."
104. In his Adjournment Debate on Mobile Communications
(Interception) on 10 March 2011, Mr Chris Bryant MP said: "There
is clear evidence that in some cases rogue staff members [of mobile
phone companies] sold information to investigators and reporters."
We attempted to discover whether that may have happened in this
case. We asked: 'Were any members of your staff disciplined followed
the release of PIN numbers; and, if so, how many?' Vodafone replied
that, given it was not clear exactly how many and which of its
customers had been affected by the Mulcaire case, and given the
nature of the deception that may have been practised on its staff,
it was not in a position to investigate the matter, let alone
O2 said: "We found no evidence to suggest that any of our
staff disclosed PIN numbers (which is consistent with our investigation
that found that voicemails were accessed through use of the default
PIN number). No employee, therefore, was disciplined."
Orange UK/T-Mobile UK said: "We have no evidence of any Orange
UK or T-Mobile UK staff involvement related to this hacking incident
therefore there was no requirement to take disciplinary action.
Importantly, the systems we operate mean that individual staff
members do not have access to a customer's PIN number. They would
only ever know the PIN number when a temporary PIN is issued ...
and this would only be done when the customer had successfully
passed through our security process to verify their identity."
105. We note that, despite these protections,
each of the companies had identified about 40 customers whose
voicemails appeared to have been accessed by Mr Mulcaire. We
also note that all three companies have disciplined or dismissed
employees for unauthorised disclosure of customer information
in the last ten years,
though there is no indication that any of these employees was
linked to this case.
Measures taken since to deter
106. In his evidence to us, Mr Bryant was asked
what mobile phone companies should do to protect their customers'
privacy better. He replied:
I think they need stronger internal mechanisms to
make sure that PIN numbers aren't available to be handed out by
somebody when ringing into a mobile phone company. I think all
the phone companies should adopt the same processes as well because
people do often change from one company to another. I think it
would be a good idea if they always notified somebody when there
was any doubt about whether their phone was being accessed illegally,
which is not the policy of all the mobile companies at the moment.
Some of them do it and some of them don't, which is why, for instance,
in my case I rang Orange and found out seven years after the occasion
that my phone had been accessed back in 2003.
107. Very soon after the police began their inquiry
into Mr Mulcaire, and arguably as a result of that investigation,
the mobile phone companies reviewed and changed the way in which
they allowed customers to access their voicemails remotely (ie
not from their own handsets). Whereas previously Vodafone's customers
had been able to contact Customer Services to request that the
PIN number be manually reset to a number of their choice, Vodafone
tightened up the operation by providing that new PIN numbers could
be issued only via SMS message direct to the customer's own handset.
Vodafone also subsequently installed a new, more secure voicemail
platform, with additional procedures in place to warn customers
in the event of unsuccessful remote attempts at access.
O2 changed its voicemail service so that customers cannot access
their voicemails remotely at all unless they have registered a
personalised PIN number.
108. When he was asked what more mobile phone
companies should be doing to improve security, the Information
Commissioner highlighted a lack of information for the public:
I wish they were a bit noisier about advising their
customers on how they can keep their information secure. It is
a general point, I think. There are responsibilities on communication
service providers and internet service providers, and there are
also things that individual consumers and citizens can do, but
you kind of have to be told about them to know what it is you
can do. We recently did some survey work and found that a very
high proportion of people had no idea whether their home wi-fi
was passworded or not. That is a pretty basic step. I wonder how
many of us are very, very careful to password protect our mobile
phones, not just the voicemail mailbox but also the machine itself,
the device itself. I would like the mobile phone operators to
be much louder in their advice to customers saying, "Look,
your Smartphone, your iPhone, it's a wonderful thing, you can
do fantastic things on it but there's a downside. Be careful,
make sure you've set appropriate permissions, make sure you've
set appropriate passwords." That should not be in the small
print of some agreement written in lawyer-speak that nobody can
understand; it should up front, user-friendly advice.
109. However, he considered that the situation
I have found that the mobile phone companies are
getting much better at this. I have been invited to give presentations
to global privacy conferences by two of our leading mobile providers
recently. They really are interested. The reason they are interested
is, I think, they have got that we are now beyond the stage of
kiddies in the sweet shop bowled over by the wonders of what we
can see; we are a bit more questioning. .... There is a commercial
reason for treating customers with respect.
110. As mentioned above, the Information Commissioner
also explained that, under the new Privacy and Electronic Communications
Regulations which came into effect on 25 May 2011, from now on
any data controller, including a mobile phone company, which becomes
aware that data security has been breached must inform its customers
111. We welcome the measures taken so far
to increase the security of mobile communications. However, with
hackers constantly developing new techniques and approaches, companies
must remain alert. In particular, it is inevitable that companies
will think it in their interest not to make using technology too
difficult or fiddly for their customers, so do not give as much
prominence to the need to make full use of all safety features
as they should do. We would like to see security advice given
as great prominence as information about new and special features
in the information provided when customers purchase new mobile
Notifying the victims
112. Mr Peter Clarke told us that he had established
a strategy for informing the potential victims of Mr Mulcaire's
hacking, with the police contacting certain categories of potential
victim and the mobile phone companies identifying and informing
others to see if they wanted to contact the police. He had not
been aware that this had not worked.
113. We were told that from an early stage the
investigation team were in close contact with, and had co-operation
from, all the main mobile phone service providers. This was supplemented
by communication via the Mobile Industry Crime Action Forum and
its Chair. However, whilst each of the companies was well aware
of the investigation, only one of those from whom we took evidence
(O2) actually took the step of contacting their customers at the
time to inform them that their voicemail messages might have been
intercepted. It is worth setting out their reasoning in full.
114. O2 said that, when they had checked with
the police that this would not interfere with the investigation:
"As soon as the above customers were identified, we contacted
the vast majority by telephone to alert them that there may have
been a breach of data. There were a small number of customers
who were members of a concierge service that were contacted directly
by that service rather than O2. There were also a small number
of customers that the Police contacted directly for security reasons;"
and "We informed the customers that they were potential
targets for voicemail interception and changed their voicemail
PIN numbers. We also offered to put them in touch with the Metropolitan
police, if they wished to discuss this matter with the investigation
115. Vodafone's response to the investigation
was less direct: "mindful of the need to avoid undermining
the ongoing Police investigation and/or jeopardising any subsequent
prosecutions, Vodafone sought to contact the above customers in
August 2006 to remind them to be vigilant with their voicemail
116. Orange UK and T-Mobile UK at first told
us: "We have not had any cause to suspect that particular
mailboxes have been unlawfully accessed, and accordingly we have
not needed to notify the relevant customers."
They subsequently explained that they considered it inappropriate
to take any action in respect of their customers: " as any
direct contact with customers could jeopardise the ongoing Police
investigation and prejudice any subsequent trial. This is our
standard approach when assisting in police investigations."
117. Clearly, Mr Clarke's strategy for informing
victims broke down completely and very early in the process. It
seems impossible now to discover what went wrong in 2006. Some
of the mobile companies blamed police inaction: both Vodafone
and Orange UK/T-Mobile UK said that the police had not told them
to contact their customers until November 2010. AC Yates accepted
that some of the correspondence between the police and the companies
had not been followed up properly.
However, the companies cannot escape criticism completely. Neither
Vodafone nor Orange UK/T-Mobile UK showed the initiative of O2
in asking the police whether such contact would interfere with
investigations (and O2 told us that they were given clearance
to contact their customers only ten days or so after being informed
of the existence of the investigation). Nor did either company
check whether the investigation had been completed later. They
handed over data to the police, Vodafone at least sent out generalised
reminders about security (Orange UK/T-Mobile UK may not even have
done that), they tightened their procedures, but they made no
effort to contact the customers affected.
118. We find this failure of care to their
customers astonishing, not least because all the companies told
us that they had good working relationships with the police on
the many occasions on which the police have to seek information
from them to help in their inquiries.
119. The police appear to have been completely
unaware that few of the potential victims of the crime had been
alerted. When we asked AC Yates in September 2010 whether possible
hacking victims had been notified, he replied: "Where we
believe there is the possibility someone may have been hacked,
we believe we have taken all reasonable steps with the service
providers, because they have a responsibility here as well, and
we think we have done all that is reasonable but we will continue
to review it as we go along." In response to the question
"What are these reasonable steps?" he said: "Speaking
to them or ensuring the phone company has spoken to them. It is
those sort of steps."
120. We are reassured now that DAC Akers's investigation
is setting this matter to rights by contacting all victims or
potential victims. However, we were alarmed that Mr Chris Bryant
MP told the House of Commons in March this year:
When I asked Orange yesterday whether it would notify
a client if their phone was hacked into now, it said it did not
know. However, I understand that today it believes that in certain
circumstances it might notify a client. I believe that in every
such circumstance the client should be notified when there has
been a problem. All that suggests a rather slapdash approach towards
the security of mobile telephony.
121. We expect that this situation will be
improved by the coming into force of the new Privacy and Electronic
Communications Regulations, which provide that when companies
discover a breach of data security, they have to notify not only
the Information Commissioner but also their affected customers.
122. This inquiry has changed significantly
in its remit and relevance as it has progressed, and further developments
are occurring on a regular basis. We expect that further discoveries
will go beyond our present state of knowledge. Our Report is based
on the information currently available, but we accept that we
may have to return to this issue in the near future.
80 Ev142; Ev143; and Ev144 Back
Evidence taken before the Home Affairs Committee on 7 September
2011, Specialist Operations, HC 441-i, Q 26 Back
Ev142; and Ev140 Back
HC Debate, col 1171 Back
Ev142; Ev143; and Ev144 Back
Q 27 Back
Q 162 Back
Q 433 Back
Evidence taken before the Home Affairs Committee on 7 September
2011, Specialist Operations, HC 441-i, Qq 7-9 Back
HC Deb, 10 March 2011, col 1171 Back
Q 156 Back