The problem surfaced after Vodacom attempted to upgrade its security software.
But instead of improving security the new-version software sent cellphone numbers and a unique identifier for mobile devices, the international mobile station equipment identity, to websites.
Networks use these identifiers to identify devices and blacklist and block stolen phones from accessing the network, rendering them useless.
Vodacom revealed yesterday that company engineers were urgently trying to fix the bug.
Spokesman Richard Boorman said: "Yesterday [Wednesday], a bug, which in some cases was disseminating customers' cellphone numbers and IMEI details to websites, was identified. These details however were only sporadically visible on websites.
"As soon as we became aware of [the bug] we reversed the software update," he said.
Asked how many customers had been affected, Boorman said the company was investigating "but it might not be possible to determine" the number. Vodacom has 32.5 million South African subscribers.
Vodacom offered services that allow customers to charge purchases to their phone bill, such as apps downloaded from app stores. This was especially important for customers without credit cards.
"We support services to which customers opt in, such as our Look For Me emergency location service. In these instances, we provide the cellphone number to the app store or service provider so the store or provider can charge for the service."
Such transactions were previously authenticated only by a cellphone number. The security upgrade would have authenticated with both the cellphone number and the device's equipment identifier.
"This was done as an extra security check, so we could raise red flags if we saw a cellphone number being used with more than one device for a charge-to-bill service.
"We did it because we didn't want customers to be charged for something they had not bought.
"We are not trying to gloss over this, but Vodacom did not deliberately forward this type of information for [gain].
"Vodacom doesn't sell customer information to third parties and we don't disclose personal information, such as customer names or billing information.
"The only information that would have been passed on would have been cellphone and IMEI identification numbers."
• Vodacom, your cell number, and those third parties
Source: The Times, via I-Net Bridge
For more than two decades, I-Net Bridge has been one of South Africa’s preferred electronic providers of innovative solutions, data of the highest calibre, reliable platforms and excellent supporting systems. Our products include workstations, web applications and data feeds packaged with in-depth news and powerful analytical tools empowering clients to make meaningful decisions.
We pride ourselves on our wide variety of in-house skills, encompassing multiple platforms and applications. These skills enable us to not only function as a first class facility, but also design, implement and support all our client needs at a level that confirms I-Net Bridge a leader in its field.
Go to: http://www.inet.co.za
