According to the ICO, Orange failed to keep its customers’ personal information secure, thereby exposing it to misuse. In particular, the ICO was concerned to find staff sharing login usernames and passwords to databases, meaning the operator had no way of tracking employee access to customer information.
The case highlights the ongoing problem of administering access rights and user authentication experienced by many organisations. In recent years the issue has been heightened by the growth of outsourcing and sub-contracting, which has served to complicate access privileges within the majority of companies.
The Information Commissioner’s Office is an independent authority dedicated to the protection of personal information. In May, the Information Commissioner called for stronger powers to allow his office to carry out inspections and audits to ensure organisations are complying with the DPA.