Two U.K. mobile phone operators took years to notify their customers that their voicemail accounts may have been illegally accessed, according to a report by the House of Commons Home Affairs Committee released on Wednesday.
The report digs into the details of the so-called "phone hacking" scandal gripping Britain. The scandal revolves around private investigators and reporters who allegedly took advantage of weak security measures in order to access the voicemail accounts of public figures.
Three U.K. operators -- Vodafone, O2 and the Orange/T-Mobile joint venture Everything Everywhere -- knew that some of their subscribers had been targeted by Glenn Mulcaire, a private investigator employed by the tabloid newspaper News of the World, the report said.
Mulcaire was sentenced to six months in prison in January 2007 for unlawful interception of voicemail messages while the News of the World, hurt by the scandal, ceased publication earlier this month.
U.K. police decided that, while the investigation was under way, Mulcaire's victims should be notified of the intrusions either by police or by the network operators, according to the report. But a break-down in communications led police to assume that operators had contacted the affected customers, while two of the companies made no move to contact customers, believing that to do so would interfere with the investigation.
Only one operator, O2, checked with police in 2006 to see if it could notify customers without interfering with the investigation. O2 officials told the parliamentary committee the company received clearance to notify those affected within 10 days or so of learning that there was an investigation.
"Neither Vodafone nor Orange UK/T-Mobile UK showed the initiative of O2 in asking the police whether such contact would interfere with investigations," the report said. "Nor did either company check whether the investigation had been completed later."
Vodafone and Orange-T-Mobile said police did not tell them to contact customers until November 2010, the report said. Those companies did not have an immediate comment on Wednesday morning.
"We find this failure of care to their customers astonishing, not least because all the companies told us that they had good working relationships with the police on the many occasions on which the police have to seek information from them to help in their inquiries," the report said.
The notification procedure would be different if a large data breach occurred now. The U.K.'s Privacy and Electronic Communications Regulations, which came into force on May 25, now requires any data controller -- including mobile phone companies -- to inform customers of a data breach, the report said.
The number of potential hacking victims continues to grow. Police have in evidence the names of 3,870 people who may be victims, along with some 5,000 landline numbers and 4,000 mobile phone numbers, which came from Mulcaire's documents. The committee wrote that although there may be some overlap in the phone numbers, it is possible up to 12,800 people have been affected that would need to be notified.
So far, just 170 people have been contacted by police, although 500 more people have inquired with police if they might be victims.
The committee wrote in its report that it could take more than a decade at the current pace for full notification. "This timeframe is clearly absurd," the committee wrote, adding that extra funds should be made available to police for the investigation.
Sign up for Computerworld eNewsletters.