During the 2004 Greek Olympics persons unknown broke into the Vodafone network and installed surveillance software to monitor the calls of over 100 people including the mobile phone of the Greek Prime Minister. Greek authorities have not been able to find who was responsible for the breach. One of the reasons given is that Vodafone apparently removed the surveillance software before the authorities were informed. The investigations were also hampered by the suicide of an engineer employed by Vodafone who worked on the affected system.
Vodafone has now been fined €76 million for breaches of the victims’ privacy by the Greek privacy watchdog on the grounds that Vodafone did not adequately protect their network. There is talk that Ericsson, who’s equipment was used by Vodafone, may also face investigation and possible sanctions.
What is interesting about this case is the fact that even though Vodafone were not the targets of the attack, they are being held accountable for not having adequate security on their systems resulting in the breach in privacy of the victims.
English translations of the orginal press conferences are available here, while those of you with a more technical inclination may find the details of the systems used of interest.
Perhaps we should take a look at our own networks and ensure that we are “adequately protecting them” and also that our incident response plans ensure the correct handling of potential criminal evidence. Although what is “adequate” is something that can be a subjective thing no matter which risk assessment methodology you use.
More details on the story are available here.