UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE
To be published as HC 907-iv

HOUSE OF COMMONS

ORAL EVIDENCE

TAKEN BEFORE THE

Home Affairs Committee

Unauthorised tapping into or hacking of mobile communications

Tuesday 14 June 2011

Ms Julie Steele, Mr Adrian GORHAM and Mr James Blendis

Evidence heard in Public Questions 176 - 318

USE OF THE TRANSCRIPT

1.

This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

2.

Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.

3.

Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.

4.

Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.

Oral Evidence

Taken before the Home Affairs Committee

on Tuesday 14 June 2011

Members present:

Keith Vaz (Chair)

Nicola Blackwood

Michael Ellis

Lorraine Fullbrook

Dr Julian Huppert

Steve McCabe

Alun Michael

Bridget Phillipson

Mark Reckless

Mr David Winnick

________________

Examination of Witnesses

Witnesses: Ms Julie Steele, Head of Fraud, Risk and Security, Vodafone UK, Mr Adrian Gorham, Group Head of Fraud, Security and Business Continuity, Telefonica O2, and Mr James Blendis, Vice President Legal, Everything Everywhere (Orange UK and T-Mobile UK), gave evidence.

Q176 Chair: Our first session is a continuation of the Committee’s inquiry into phone hacking. May I welcome Ms Steele, Mr Gorham and Mr Blendis? For the purposes of the record, would you remind us each of your company?

Ms Steele: I am from Vodafone UK.

Mr Gorham: O2.

Mr Blendis: Everything Everywhere, which is Orange and T-Mobile.

Chair: Mr Blendis, you may need to speak up a little louder.

Mr Blendis: Everything Everywhere, which is the former companies T-Mobile and Orange.

Q177 Chair: Excellent.

You may find this unusual but we all have mobile phones, even in this day and age, and we all declare our interests because one or all of us are customers of your companies. We won’t say which to give you unnecessary publicity but we all have mobile phones, so take that as read. Also can I refer everyone present to the Register of Members’ Interests where the other interests of members of this Committee are noted?

May I start with this question to each of you? You have seen the evidence of John Yates to this Committee when he last appeared before us and the evidence that he gave to our predecessor Committee about the way in which mobile phone operators deal with the victims of phone hacking. Between you all-and you have answered specific questions in a letter that I sent to you earlier this year-you have over 100-I think it is 40, 40 and 46-customers who have had their phones hacked as part of the original investigation into the Mulcaire case, if we can call it that. At the time of you being notified of the police investigation, what was the police’s advice to you about contacting your customers, and what did you do to inform your customers that they had been hacked? May I start with you, Ms Steele?

Ms Steele: The original contact to Vodafone from the Metropolitan Police was back in December 2006. At that stage, they had one victim who they were looking at and we were looking specifically with that one customer. Later, as the inquiry developed, the Metropolitan Police gave us some suspect telephone numbers that they asked us to look at, including at who in Vodafone those suspect telephone numbers had dialled. We looked at the telephone numbers that those suspects had contacted and then we narrowed that down to just voicemail numbers, which we gave to the Metropolitan Police at that stage. What we have not seen is the evidence that is currently held by the Metropolitan Police, so our best guess is that there are about 40 victims on the Vodafone network. Now-

Q178 Chair: Yes, but obviously we are all customers, and if we found that our phones had been hacked, we would have expected somebody to tell us. Why did you not tell your customers that they had been hacked?

Ms Steele: As I was saying, we estimate that there are about 40 victims on the Vodafone network, but what we have not seen is the information that the Metropolitan Police hold, so we can’t be sure who the victims are on our own network. We worked with the police in the same way that we would in a number of inquiries-as I am sure you are aware, we work with the police. We provided them with the information that they asked for, and in order to not jeopardise any police inquiry, we didn’t make that information public.

Q179 Chair: But you know that Mr Yates has told this Committee that he had assumed that you would have contacted the victims and told the 40-if we can call them the 40-that they had been hacked. Did you not do this?

Ms Steele: That is not the case, no. We worked closely with the Metropolitan Police and, as in all cases, so as not to jeopardise the police inquiry, we did not contact our customers directly. However-

Q180 Chair: So the police did not ask you to do it?

Ms Steele: They didn’t ask us to, no.

Q181 Chair: You are absolutely certain about that?

Ms Steele: Yes.

Q182 Chair: And there was no scope for misunderstanding?

Ms Steele: Obviously we are working with memories now, and nobody who was involved in the case at the time has any recollection of us being asked to contact victims. I would like to remind you that we actually do not know exactly who the victims are because we do not have all the evidence.

Chair: Exactly.

Ms Steele: But also there is nothing in writing.

Q183 Chair: Of the 40, how many have subsequently contacted you to ask, "Have my phones been hacked?"

Ms Steele: I don’t know that number; I am sorry.

Q184 Chair: Have any of them?

Ms Steele: Yes, some of them have. At the time, as we responded in our letter, we did go out to a number of customers to remind them of the importance of voicemail security.

Q185 Chair: We will come back to that in further questions.

Mr Gorham, is that your recollection as well? How many of your customers have been hacked, as far as you are aware?

Mr Gorham: As far as we are aware from the investigation that we completed at the time, we had 40 customers that might have been affected by the voicemail incident. We made a decision that we would contact those customers and tell them the results of our investigation. We passed that information on-

Q186 Chair: So you did contact them?

Mr Gorham: We contacted all of them.

Q187 Chair: You knew who they were.

Mr Gorham: Yes.

Q188 Chair: How did you find out?

Mr Gorham: We did that by looking at call records on the network. We can see where calls are going and from that we can identify our customers who might have been affected. I cannot say that they were definitely affected, but they might have been affected.

Q189 Chair: So you did not wait for the police to say, "These are the 40"? You went through your own records and you were able, through your technology, to establish-

Mr Gorham: We identified 40 people who might have been affected.

Q190 Chair: And you contacted them.

Mr Gorham: We contacted them. We told the Metropolitan Police first that that was what we were going to do-

Q191 Chair: And what did they say?

Mr Gorham: They asked us to delay that contact for a short period of time because there was a criminal investigation that was ongoing that they didn’t want compromised-we would not want to compromise it. After that period of time-

Q192 Chair: What was the short period of time?

Mr Gorham: From memory, probably seven to 10 days.

Q193 Chair: Is that all? They asked you not to do anything for just 10 days?

Mr Gorham: Yes, because there was an ongoing investigation. We then contacted our customers and informed them what we-

Q194 Michael Ellis: How did you contact them?

Mr Gorham: We contacted them by phone, so we had a list of the customers and who they were. We then put together a team in my department and we actually contacted the customers-rang them and spoke to them-and said, "This is what we believe might have happened."

Q195 Chair: Did you subsequently find out that, in fact, they were hacked?

Mr Gorham: On none of the cases did I ever see any evidence that they were definitely hacked. Some of the conversations with the customers would lead you to believe that there were reasons why people might want to get their information, but I have not seen any hard evidence.

Q196 Chair: Thank you.

Mr Blendis, would you continue this theme for the moment? How many of your customers were hacked?

Mr Blendis: Sir, we understand that there were 45 customers who were identified as where the number that we were given by the police had contacted those customers’ voicemail and accessed it.

Q197 Chair: So like with the other cases, the police told you, did they? Or did you did you do what Mr Gorham has done?

Mr Blendis: No, no. We did not contact customers. We would never contact customers as part of a police investigation.

Q198 Chair: Yes, I understand that, but you see the different practice between the two companies. They went off and they checked for themselves, and they discovered who those customers were. You did not contact any customers in Orange and TalkTalk?

Mr Blendis: Orange and T-Mobile.

Chair: Sorry.

Mr Blendis: We did not contact those customers. Our understanding is that there is a serious risk of prejudicing an investigation if we take any action like that.

Q199 Chair: So the police did not say to you, as they said to Orange-sorry; I am mixing up my companies here. Mr Gorham you are?

Mr Gorham: O2.

Q200 Chair: So the police did not say to you, Mr Blendis, as they did to O2, "Don’t contact the customers for 10 days"?

Mr Blendis: No.

Q201 Chair: They did not tell you not to contact the customers?

Mr Blendis: We would always be under an assumption that we should not contact customers. There are a number of circumstances in which that could prejudice the investigation and we would never do that.

Q202 Chair: But why is that?

Mr Blendis: Well, there are a number of situations. You do not know, for example, that the person you are contacting is the owner of the phone. There could be people who are looking after the phones, particularly if they are celebrities and they have a number of PAs or different people who are holding their phones for them-

Q203 Chair: But isn’t this a bit of a complacent attitude? Here you find that your customers have been hacked-the police have told you that they have been hacked-and your company does absolutely nothing.

Mr Blendis: I don’t think that we did nothing. We respond to our obligations to the police; we provide them with the records. It is up to the police to investigate-

Q204 Chair: All right, that is your obligations to the police, but what about to your customers?

Mr Blendis: Well, as I said, we have to be careful not to prejudice those investigations.

Q205 Chair: Did someone tell you not to do it because you were prejudicing the investigations, or did you just assume that you were?

Mr Blendis: No, we are always under an understanding that information requests to us are confidential, and we treat them confidentially.

Q206 Chair: Sorry, can I just pursue this? Nobody told you. Mr Yates did not tell you not to contact anybody. This was a decision that you made on your own.

Mr Blendis: No, it was a decision based on practice that contact from-

Q207 Chair: Yes, but your company’s practice?

Mr Blendis: Yes.

Chair: So in conclusion-

Mr Blendis: Which we understood was common to the industry-these investigations are highly confidential.

Q208 Chair: Yes, but of course we have already seen differences between the way in which companies have operated. Let us be clear, from all of you: is it your understanding that you had no instruction, as Ms Steele said at the start, not to contact your customers?

Mr Blendis: We had no instruction to contact customers. We had no permission to contact customers.

Q209 Chair: But nobody said, "Don’t contact your customers"?

Mr Blendis: We didn’t have that-

Ms Steele: In the early stages of the police inquiry, there was an instruction not to contact our customers. As I was going to mention earlier, we did contact a number of customers with generic advice about voicemail security, and we did so in the full knowledge of the Metropolitan Police.

Q210 Nicola Blackwood: Did you ask to be informed when it was possible to contact your customers to inform them of potential risks to their information security?

Ms Steele: We did not, but I would remind you that we still are not completely clear about who the victims of this crime are because, like O2, we did a number of searches on our own network, but that does not prove conclusively that those customers had been victims. It just tells us that the suspect number dialled those customers. It does not tell us that their voicemail was accessed.

Q211 Nicola Blackwood: What about Orange and T-Mobile? Did you ask the police at any point when you might be able to contact customers you thought might be at risk?

Mr Blendis: Yes, we did as part of the current new investigation.

Q212 Nicola Blackwood: What response did you receive?

Mr Blendis: We have not had a response from them.

Q213 Nicola Blackwood: When did you ask?

Mr Blendis: I believe that was October.

Q214 Nicola Blackwood: October of?

Mr Blendis: Last year. October of last year.

Q215 Nicola Blackwood: 2010, and you still have not received your response.

Mr Blendis: No.

Q216 Chair: How did you do this? Did you write to the Metropolitan Police and say, "Can we contact our customers?", and have they not replied to your letter?

Mr Blendis: We wrote to ask what the circumstances would be when we could contact customers, how we would do that and what we would say to those customers.

Q217 Chair: Who did you write to?

Mr Blendis: I have the letter here.

Q218 Chair: Would you show it to the Committee? Could one of the Clerks bring the letter to me? What is the date on that letter Mr Blendis?

Mr Blendis: It is 2 November. Sorry, could I just add, in response, that if you make contact, you could potentially be talking to the hacker.

Nicola Blackwood: I do understand that. What I am trying to ascertain is what response you have received from the police on this particular issue.

Q219 Dr Huppert: It is fairly alarming if the police are not responding to letters, but I find it intriguing that you have taken three very different approaches: at one end, essentially, not contacting customers at all; in the middle, I guess, giving them some generic advice without mentioning what is happening; and then actually being very, very direct about it, with the approval of the police. We can look at the history of why you all decided to make those decisions, but having heard from each other now about the other routes that were taken and the contact that was had with the police, what would you recommend if there was something like this again? Which of these three models would you want to follow?

Chair: The one that you have chosen I suspect.

Mr Gorham : I suspect that that might be the answer.

Q220 Chair: I think the point that Dr Huppert is making is that there are three different approaches. There seems to be a bit of complacency and a bit of confusion about what has happened and what you should be doing. What Dr Huppert is asking is whether there should be one model that everyone follows in a circumstance like this.

Mr Gorham: My view would be that if a customer is a victim of crime, or we believe there is a crime being committed against them, we have an obligation to contact that customer, but what we must do is just keep sure that that does not compromise an investigation. There is always that check and balance, but we would always tell a customer if we think they have been a victim.

Ms Steele: Again, as I said earlier, we would not want to prejudice an ongoing police inquiry or any future legal action. I think, as is the case here, if there is still legal action ongoing from a number of customers-whether it is civil or otherwise-we would still be in a position where, without having the definitive information from the police of who the victims are, we would not contact them.

Q221 Chair: But you now have the possibility of legal action from your own customers-the contract is with them, isn’t it? If you have not contacted them, they have a case against you, don’t they?

Ms Steele: Not as I understand it but I am not a legal expert. The police asked us. I think that your response letter, James, was to the same request that we had from the Metropolitan Police. They asked us to contact our customers-

Q222 Chair: In the new inquiry?

Ms Steele: In October of last year, and we did respond to them at the time and tell them that we would do that if they could tell us who the victims on Vodafone were.

Q223 Chair: Have they told you that yet?

Ms Steele: No.

Q224 Chair: So you also wrote to the Metropolitan Police and asked for the list of victims and you have not received it. What was the date of your letter?

Ms Steele: It was November 2010 as well.

Q225 Chair: And you have not received a reply to that either?

Michael Ellis: You received a reply but not with a list of names-is that right? Or you did not receive a reply at all?

Ms Steele: We have not received a reply specifically to that letter.

Mr Blendis: I would be very happy to contact the victims if we understood who victims were and what the terms of that contact should be-

Q226 Chair: You still you do not know who they are because nobody has told you.

Mr Blendis: We know the details of the people whose voicemail was accessed.

Q227 Chair: So you know who they are.

Mr Blendis: We don’t know that they were the victims.

Q228 Alun Michael: I would like to ask you about the default position. I understand that if the police say, "We don’t want you to contact customers because that could compromise our investigations," that would put you in a situation where you have specific responsibilities, but unless there has been that specific request, is not the default position that you should contact a customer whose account has been compromised? I think the question might be made clearer if I make a comparison with somebody’s bank account. If £1,000 had been stolen from an account, surely the default position would be that the bank would tell the customer that that had happened unless there was a specific request from the police-not an assumption-not to do so while an investigation took place? In particular, Mr Blendis, should that not be your default position?

Mr Blendis: I am not sure I agree. We deal with thousands of requests from the police every week and they are-

Q229 Alun Michael: Never mind about the police for a moment; I am talking about your customers. Unless there is a request from the police for you not to do something for a period of time, because there is an investigation that might be compromised, is it not your obligation to inform your customers if you know that their account has been compromised?

Mr Blendis: Our obligation is also to the police-

Q230 Alun Michael: No, I am sorry, but with the greatest of respect, I have dealt with the police situation. If the police ask you not to do something, of course you have to respect that request-

Mr Blendis: That is the common understanding. If something-

Q231 Alun Michael: No, no. If the police ask you something, that is a different situation. I am asking about your obligations to your customers as the default position, if there has not been a request by the police for you not to disclose to the customer. Surely you then have an obligation to disclose to the customer?

Mr Blendis: I don’t think it is that straightforward. If a customer’s records are subject to the police inquiry, we don’t know what the scope of that inquiry is. We do deal with thousands of requests-hundreds of thousands a year. They are part of all sorts of investigations into all sorts of criminal activities.

Q232 Chair: Mr Blendis, of course we understand that, but this is slightly different. We are talking about the phone hacking of a member of the royal family-

Mr Blendis: It is different knowing the very specific circumstances-

Chair: Can I just finish? We are talking about members of the royal family. This includes the head of the investigation team you have been dealing with, Mr Yates, senior politicians and others. Surely this is different in substance to the thousands of ordinary requests that you get, or do you not think it is?

Mr Blendis: I think it is different once you have identified and understood what the particular circumstances of the inquiry are. We do not always have that information. In fact, most of the time we do not have it.

Chair: And of course you do not have a reply as yet.

Q233 Mr Winnick: I am just wondering how responsible you feel, as the representatives of your mobile companies, for what has occurred. Whether it is royal family members, celebrities or the rest, what feeling of responsibility do any of the three of you have on behalf of your companies for what has occurred? That is responsibility in the sense of not informing your customers accordingly?

Ms Steele: Vodafone takes its responsibilities to keep customer data confidential absolutely seriously, and in this example, people accessed voicemail by using, essentially, the PIN that should have been known only to the customer. From a Vodafone perspective, clearly we have a duty to protect our customers’ data-that we attempt to do. What we did, as soon as we learned that there might have been an opportunity for third parties operating illegally to exploit some of our processes, was to change our processes immediately, and since then we have made further technology changes.

Mr Gorham: The very same response from myself. We take the security of customer data on the privacy of their calls extremely seriously. We have measures in place to prevent misuse, and if at any stage we find that they have been compromised, we would put more measures in place to make it more secure.

Mr Blendis: Yes, we take our customer data security extremely seriously. We have a number of programmes running to protect that, and we have a number of initiatives coming through to add to those security features.

Q234 Mr Winnick: Given the quest of newspapers of a certain kind-and of those they employ for tittle-tattle and gossip about celebrities or perhaps those politicians in the news-to try to get a decent story, as they see it, does it come as any surprise that hacking has been undertaken? Was it expected that this would occur?

Mr Gorham: I think at the time the industry was not aware of the problem. Quite often with frauds that go on within society, you will find the operator is aware that there may be a weakness. I believe it was a complete surprise to the companies that this was actually going on.

Q235 Dr Huppert: Mr Blendis, thank you very much for circulating this very interesting letter. I am glad that we have had a chance to have a look at it because my understanding, from what you said earlier, was that you had written to the police asking if you could contact any of the customers and this was the letter that you provided. It seems to me that this is not a letter to which I would have expected a response.

It is a response to a series of questions. You answer all the questions-essentially highlighting the fact that you have not spoken to anybody-and it seems to fit with a very different line from what you suggested to us. This is a letter confirming that you haven’t. There is nothing here asking, "Can we talk to our customers?" You make it very, very clear that you wish to play no role in contacting customers unless directly instructed to. Is that a fairer description of what actually happened?

Mr Blendis: I do not have the letter in front of me any more.

Dr Huppert: Go and give him the copy back.

Q236 Chair: As Dr Huppert said, this is of course completely different to what Mr Yates has told this Committee, which was that he expected you to contact your customers. That is what he said in evidence to this Committee.

Mr Blendis: No, it was never our understanding that we should contact customers-quite the contrary.

Q237 Chair: But where is that reflected because, as Dr Huppert says, you are not asking in this letter to contact your customers?

Mr Blendis: We said if you can confirm the owner-subscriber of the calling numbers and the reason you believe they were calling numbers potentially unlawfully accessed, we will attempt to make contact to explain that we have been requested to inform them.

Chair: Is that the paragraph you would have liked a reply to?

Dr Huppert: Yes, it does say, Chair, "I look forward to hearing from you" on the bottom.

Chair: But you have not heard from them since. Thank you.

Q238 Lorraine Fullbrook: I would just like to do a quick follow-up on that before I ask my main question. Unlike Vodafone and O2, are you saying that you have no obligations to Orange and T-Mobile customers and that if you have not been advised by police not to contact them, you wouldn’t do so?

Mr Blendis: I think it is fair to say that we have a conflict. We have a conflict between what we would like our duties to our customers to be-to inform them and help them-and our duties to a confidential investigation.

Q239 Lorraine Fullbrook: But if you have not been advised by the police that you should not contact your customers, are not Orange and T-Mobile customers afforded the same courtesies and service as Vodafone and O2 customers?

Mr Blendis: But the customers could be the criminals-they could be the hackers. If we were to take it upon ourselves to make contact with the people who we think are the victims but in fact by doing so we simply tip off the hackers, we would prejudice the investigation.

Q240 Lorraine Fullbrook: Thank you.

I would like to ask a two-part question to all three witnesses. How do unauthorised people usually obtain phone numbers in order to use them for phone hacking?

Ms Steele: I don’t know how they would obtain the phone numbers to-

Mr Gorham: I think phone numbers are generally quite widely available because all the time in society we put our mobile phone numbers down if we get mail shots through the post box when you are out and about. I think people often do not keep their individual mobile phone numbers secure, so I believe that the numbers can circulate quite easily.

Mr Blendis: Do you mean phone numbers or PINs?

Q241 Lorraine Fullbrook: How do unauthorised people get hold of the phone numbers to use them for hacking people’s phones?

Mr Blendis: I don’t know, but they can hack into the voicemail only if they have the PIN for the voicemail.

Q242 Lorraine Fullbrook: Can I ask each of you how many of your employees have been disciplined, dismissed or prosecuted for unauthorised disclosure of information in the past 10 years?

Ms Steele: That is not something that we have publicised previously because of the obviously sensitive nature that it could lead to dismissal, but we do have a zero-tolerance policy to anybody who is-

Q243 Chair: This is a Committee in the House of Commons. We are asking you, as part of a parliamentary inquiry, how many people you have dismissed in the last 10 years?

Lorraine Fullbrook: Not only dismissed, Chair: disciplined, dismissed or prosecuted over the last 10 years.

Chair: Disciplined for giving out information.

Ms Steele: I don’t have the number.

Q244 Chair: Will you write to us to tell us?

Ms Steele: I will attempt to do that, yes. I don’t-

Q245 Chair: Attempt?

Ms Steele: Yes, I will. I will certainly respond to your questions to the best of my ability.

Chair: Thank you.

Q246 Dr Huppert: In the letter that you provided to us, you said "In the circumstances Vodafone takes a view that it would not be appropriate to discipline any personnel", if that helps?

Ms Steele: Yes. No, certainly that is not the case. We have disciplined personnel for breaches of data. In this particular inquiry, as soon as we became aware of some of the methodologies that were being used by the third parties, we launched an inquiry internally, and that investigation did not find any evidence of any collusion or any wrongdoing by our employees.

Q247 Lorraine Fullbrook: But I am not talking about just this inquiry; I am asking about the past 10 years.

Ms Steele: Yes, I realise that that is your question, but I don’t know the answer to it.

Q248 Lorraine Fullbrook: But you will write to the Committee with that answer.

Ms Steele: I will write to the Committee.

Q249 Chair: Will you write to us by noon on Friday with that information? Thank you.

Mr Gorham?

Mr Gorham: Okay. In the past year, there were 14 cases of employees who had been disciplined or dismissed when it came to breaches of security-that is not to do with this particular case of voicemail hacking; that is in the much broader area. That, for instance, could be an employee who has maybe looked at a friend’s data on the system-

Q250 Chair: Sorry, is that 14 in the last 10 years?

Mr Gorham: No, that is in the last year.

Chair: Fourteen employees in the last year.

Mr Gorham: In the last year, for various levels, and that is from an official warning through to dismissal. Often that will be because it is something to do with a domestic dispute within their family and they may have looked at somebody else’s phone records. That is an offence. That is something they are not allowed to do and they would go through the disciplinary process.

Q251 Chair: So the 14 are related in some way to a kind of data breach.

Mr Gorham: Yes.

Chair: Right, thank you.

Q252 Lorraine Fullbrook: But how many would you to estimate in the past 10 years? Would it be 140 or-

Mr Gorham: I truly don’t know.

Chair: If you could write to us, Mr Gorham.

Q253 Lorraine Fullbrook: Will you write to the Committee with the number?

Mr Blendis?

Mr Blendis: We have had two employees who have been prosecuted in the past two years for disclosure of data-that is been widely publicised. In fact, we initiated the investigation and notified the Information Commissioner.

Q254 Lorraine Fullbrook: That is prosecuted. What about dismissed or disciplined?

Mr Blendis: Those are the only two that I know of.

Q255 Lorraine Fullbrook: What about in the past 10 years?

Mr Blendis: That is my knowledge in the past 10 years. There are other investigations going on. We have a fraud and security team-

Q256 Lorraine Fullbrook: Could you find out for sure and write to the Committee?

Mr Blendis: Yes, of course.

Chair: Thank you. Nicola Blackwood had a question on this.

Q257 Nicola Blackwood: It is just to go back a little bit. I am still very concerned about the confusion about responsibility to contact customers and victims, and the fact that the police appear to think that the responsibility lies with phone companies but there seems to be a difference of opinion among phone companies about where responsibility lies. I can understand that that confusion would have existed under current circumstances.

My question is: are you going to change your practices going forward? In the future, when the police come to you with similar investigations, are you going to have a practice or a protocol in place to ensure that there is a clear decision about who should undertake responsibility to contact the customer in each individual case so that customers do not remain falling between the cracks with nobody taking responsibility?

Mr Blendis: In similar circumstances, I think that we would be keen to let victims and customers know. We would be keen to do that without prejudicing the inquiries, so we would have to have a discussion with the police as to what the circumstances were, who we could contact and what-

Q258 Nicola Blackwood: In future, when the police come to you, will you ask directly, "Will you, in this case, be contacting the customer or shall we do it?", and will you ask them for a time when you can do it?

Mr Blendis: I think we would ask them for permission to contact customers and for them to identify who the victims were so that we did not contact hackers.

Q259 Michael Ellis: Mr Gorham, as far as your evidence is concerned, I think you said that your company, acting on data and information that were within your possession and control, researched how many customers may have been affected by this hacking and came up with a figure of about 40. Do I understand correctly that you did that by having the phone number of a suspicious individual with which you had been supplied with by the police and then by looking at that phone number’s calls out-outgoing calls-you saw who that person then called, and from that information you were able to look and see whose phones had been called? From that information, did you ascertain that they were celebrity-type individuals-you could see the identity-members of the royal family or other persons in the public eye?

Mr Gorham: Some of them were in those spheres, yes.

Q260 Michael Ellis: I see, right. So you did not contact any of those people.

Mr Gorham: No, we did contact them.

Q261 Michael Ellis: You did contact them.

Mr Gorham: Yes, we told the police we were going to. As I said before, we then had a period of time when they said, "Could you hold off contacting them?" and then we contacted each of those people individually.

Michael Ellis: We may come back to that in a moment.

Q262 Chair: Before we do, will Mr Gorham and Ms Steele respond to Nicola Blackwood’s question to Mr Blendis-we took one view but not the other two?

Mr Gorham: We would take exactly the same strategy that we did at the time. We would always tell our customers unless we were specifically told by the police that we could not, and then we would want to judge the reason, so there is no change from O2 on how we would handle this.

Ms Steele: From Vodafone, our response is similar to Mr Blendis’s. We would absolutely work with the police, as we do currently. We would ensure that we did not prejudice any ongoing legal proceedings. I think we would, given what we have now learned, have a point in time when we would make sure we had absolutely clarity with the police.

Q263 Bridget Phillipson: I am clear that there still has not been a marrying-up of the information that you formed about the people you suspect may have been victims of phone hacking with the information held by the police about the people they believe have been victims of phone hacking. Those two pieces of information have not been-

Ms Steele: The police have all the information.

Q264 Bridget Phillipson: Do the police have all the information now?

Ms Steele: Yes, they have had all of the information-

Q265 Bridget Phillipson: Presumably for the police then to take whatever steps. You therefore do not believe that you would have a role at this point in contacting further customers.

Ms Steele: We have said that we would contact further customers if the police asked us to. However, at this stage, we have done a similar exercise to O2’s to identify approximately 40 customers who we think might have been victims, but without marrying that with the information that the Metropolitan Police hold, we can’t be sure.

Chair: Basically, in answer to Ms Phillipson’s question, the three of you still have not had a definitive list of people from the Metropolitan Police. No? All right; thank you.

Q266 Lorraine Fullbrook: Chair, can I ask each of the three witnesses what are the names of the people who you know have been hacked into?

Ms Steele: I don’t have that list with me and, as I said, we don’t know absolutely that those people have been hacked into. We have done the same as O2 and run an exercise to look at who the suspect numbers dialled-

Q267 Chair: So because you are still waiting for the list from the Metropolitan Police, this is still guesswork.

Ms Steele: We have identified approximately 40 people who we think might have been victims-

Q268 Lorraine Fullbrook: Do you have names to those?

Ms Steele: I don’t have that list with me, no.

Mr Gorham: We no longer have a list of the 40 customers that might have been affected, although the data were given to the police. All I could do would be to use my memory to recall some of the names.

Mr Blendis: No, we don’t have that.

Chair: It is most unsatisfactory, isn’t it, if you still do not know which of your customers have actually been hacked?

Q269 Lorraine Fullbrook: Chair, can I ask that if Mr Gorham has given the list of names to the police, he should also give it to the Committee?

Chair: Will you send us that list, Mr Gorham?

Mr Gorham: The list of names? What we gave to the police was call data, so we gave them all the call records as part of the evidence. The police have all the call records-

Q270 Lorraine Fullbrook: But you must be able to identify a name of the customer to the number?

Mr Gorham: Yes. Just to go back, we no longer hold the list of names that we produced. Given the space of time, I don’t believe we gave that list to the police. What we gave the police were the call records.

Q271 Chair: You are saying we should go to the police and ask them.

Mr Gorham: They will still have the call records; we don’t have the call records.

Q272 Michael Ellis: Surely your normal data deletion protocols would be departed from in circumstances where there is a police investigation. You wouldn’t delete the information that might still be pertinent for an ongoing police investigation, would you?

Mr Gorham: No, but we actually give them the call records at the time, so the police hold all those call records from six years ago. We wouldn’t-

Q273 Chair: Mr Blendis, do you still have the records or have you deleted your records?

Mr Blendis: Those records are held by the police, we do not keep them.

Q274 Chair: The police have them. Ms Steele?

Ms Steele: We do hold some records of the investigation at the time, but all that input-

Q275 Lorraine Fullbrook: Chair, this doesn’t sound right. Are you saying, as a telecoms company, that you do not know the names of those people, that you have passed those records to the police, and that you are now leaving it to the police to find out who those people are? Is that what you are saying?

Ms Steele: That is not what I am saying.

Q276 Lorraine Fullbrook: So you do know the names of the people.

Ms Steele: We passed the evidence to the Metropolitan Police at the time, as I understand it, including the names of the people that we thought were victims potentially.

Q277 Lorraine Fullbrook: You said earlier you that did not have the names and that you had the records.

Ms Steele: I don’t have them with me-the names. That was O2, I think.

Q278 Chair: Okay, let us be clear what you have and you do not have, because I think members of the Committee are confused. What you do not have-any of you-is a list of names from the Metropolitan Police of your customers who they say have been hacked. Is that right? Maybe a nod would be fine.

Lorraine Fullbrook: But they do have, Chair.

Chair: Secondly-I must move to the next section, Ms Fullbrook-you do have, Ms Steele, a list of names of people who you think might have been hacked, or who the police have asked you to provide further information about.

Ms Steele: Yes, we have our files from this time of the original investigation, and I believe that has been-

Q279 Chair: I think that is what Ms Fullbrook is after. If you could send us that list-

Ms Steele: I don’t have the list with me and-

Chair: No, we understand that. We don’t expect you to carry your filing cabinets with you.

Ms Steele: Is that something that the Metropolitan Police should disclose, though, rather than-

Q280 Chair: Right. We will discover whether it is best for you to give it to us or to the Metropolitan Police, but there is a list somewhere that has all these names.

Ms Steele: We have our case files from the time.

Q281 Chair: You have the case files. Mr Gorham, you don’t any case files left because you deleted everything.

Mr Gorham: Yes.

Q282 Chair: But you say the police have your list of 40 names.

Mr Gorham: The call records.

Chair: The records.

Mr Gorham: That make that up, yes.

Q283 Chair: They have had all the records. You sent that to whom?

Mr Gorham: That went to the police six years ago, so we gave them all the data.

Q284 Chair: Were they sent to Mr Yates or Mr Clarke?

Mr Gorham: No, that would have gone to the investigation team at the time.

Q285 Chair: Right. And you, Mr Blendis; you know nothing?

Mr Blendis: I believe we are in the same position as O2.

Q286 Chair: Right, but you do not even know the names of the people.

Mr Blendis: We do not know the names.

Q287 Chair: Because they have some records but you have nothing.

Mr Blendis: I believe it is the same as O2. We supplied the records to the police and that was our exercise.

Q288 Chair: You can understand the concern of the Committee, can you not, as we listen to the answers of each of your colleagues, that there is a bit of confusion here?

Mr Blendis: I think you have to understand the context of the original investigation. We were just asked to supply them.

Q289 Michael Ellis: Mr Blendis, it is in relation to that context that I have this question. I asked before how it was that the companies-and particularly Mr Gorham’s company-knew to look, and was because the police provided the phone number of a suspicious person who was believed to have been responsible. It was from looking at that person’s outgoing calls that you were able to see a list of 40-odd people who might well have been subject to hacking. However, in the context of the type of people we are talking about-this is not Joe Bloggs from 52 Acacia avenue; many of these names are famous names-are the three of you, and particularly Mr Gorham, saying that you have no recollection of or you cannot recall any of the names involved?

Mr Gorham: I can remember some of the names from the investigation. For obvious reasons, you can understand I might be slightly uncomfortable to start giving some of those names, so I will take the Chair’s advice.

Chair: We will pursue this. You do not have the records. They have gone to the police and you write to the police.

Q290 Alun Michael: Can we look at the way in which you serve your customers, in particular in relation to what information and advice you give them about protecting their calls, voicemails and e-transactions from hacking? How do you provide that advice?

Mr Gorham: Do you want me to go first? We have information on our website. If you go to our web portal, there is information there about voicemail-how you can use it, how you can secure it and advice about the use of PINs. Also, if you were to go into one of our stores, they will give you advice, and you can see one of our gurus who will give you advice on that. There are multiple channels through which we give customers advice.

Q291 Alun Michael: Can I ask you-then I will come to the others-whether people have to go looking for that advice as distinct from you proactively encouraging them to build the following of that advice into the day-to-day way in which they manage their affairs?

Mr Gorham: It is built into the day-to-day working because now if you now want to set up a voicemail, you have to set up a PIN. We have taken away the facility for you, as a customer, to decide to have a PIN not. In the old days, you would think, "Do I want a pin number?"

Q292 Alun Michael: When did you make that change?

Mr Gorham: We made that change immediately after this incident, so now-

Q293 Alun Michael: In other words, you have responded-

Mr Gorham: Yes, the customers have to now have their own individual PINs.

Q294 Alun Michael: And you are improving the way you try to help customers automatically to be able to look-

Mr Gorham: Yes, and we have taken that choice away from customers. They have to set a PIN.

Q295 Alun Michael: And the others?

Ms Steele: Information from Vodafone UK is available in written format in store, or from a business account manager, if you are that type of customer. We also have a lot of information online. For all new customers, when they join Vodafone, the first three times they dial into their voicemail they will be played a voicemail tutorial that will encourage them to set a PIN. If a customer chooses not to set a PIN, they will not have remote access to their voicemails.

Q296 Alun Michael: Fair enough, but is it built into what people come to automatically?

Ms Steele: Yes, it is.

Q297 Alun Michael: Thank you. Mr Blendis?

Mr Blendis: Yes, we have a similar position. You cannot use remote access to your voicemail unless you set up a PIN, and there is a tutorial to explain security breaches.

Q298 Alun Michael: Okay. Can I ask the second important question then: what proportion of your customers follow that advice and the opportunity that is offered to them, and what proportion do not?

Ms Steele: I am not sure that I understand the question, sorry.

Q299 Alun Michael: You offer the facility-let’s start with Mr Gorham first, as he kicked off-and you have said how you have changed it so that people essentially have to put in a PIN. Does that mean that they essentially have to use that facility?

Mr Gorham: They have to follow it now.

Q300 Alun Michael: They have no choice, in your case.

Mr Gorham: They have no choice. We have taken that choice away from customers.

Q301 Alun Michael: Are there other elements of protection that you advise them to undertake as well, or is that the key element?

Mr Gorham: That is the key element.

Q302 Alun Michael: Right. Ms Steele, I think you said that you offer advice to customers and that they have to-the first couple of times that they phone in-respond by taking that advice or not, so that is a slightly different situation.

Ms Steele: Yes. The first three times they call voicemail, they get a tutorial.

Q303 Alun Michael: What percentage of people take that advice by the third call?

Ms Steele: Sorry. For those customers who do not take that advice, there is no way they can access voicemail without using the handset. For the customers who do listen to that tutorial, there are two levels of security that they can select-standard and enhanced. I am afraid that I do not have the breakdown of which customers choose which options.

Q304 Alun Michael: Could you let us have that?

Ms Steele: Yes.

Q305 Alun Michael: Mr Blendis; the same question.

Chair: Very quickly.

Mr Blendis: The remote voicemail is locked to anybody trying to access it. Only the customer can access it if they set up their own PIN.

Alun Michael: It is built into the system then. Thank you.

Chair: I am sorry, but may I just say to colleagues and witnesses that we have another inquiry into police pay and conditions and the landscape of policing following this and our witnesses are being kept waiting, so can we have brief questions and brief answers?

Q306 Michael Ellis: Just following on from Mr Michael, let us see if we can understand what happened previously and what is different now. Previously, if you bought a mobile phone and did not set up a new PIN to protect your voicemail, it was possible, was it not, for anyone who knew your phone number to access your voicemail using a default PIN. Is that right?

Mr Blendis: No, that is not the case. Our voicemail has always been locked to remote access. A customer has to set up a PIN to get access to it.

Q307 Michael Ellis: You always had to do that during the period in which we are interested in in this inquiry?

Mr Blendis: Yes.

Q308 Michael Ellis: It was not the case that there was some sort of default PIN setting that somebody could use-one, two, three, four or whatever-that would have allowed access.

Mr Blendis: Not for the period of this inquiry. We had a default PIN on T-Mobile back before 2002, but that was changed in 2002.

Q309 Bridget Phillipson: As a matter of routine-this investigation aside-if the police or a customer informed you that they believed a phone had been accessed illegally, how would you respond to that?

Ms Steele: The first thing that we would do would be to investigate whether or not there were any signs of their voicemail being accessed remotely. If there were any signs of voicemail being accessed remotely, we would obviously ask them to report that to the police, and we would share that evidence with the police. I am not aware of any cases of that happening for Vodafone UK since 2006.

Mr Gorham: Is this where a customer has contacted us?

Bridget Phillipson: Either a customer or the police.

Mr Gorham: If a customer contacts us, we will make investigations in exactly the same way as Vodafone on the networks to see whether there is any evidence to support it. We would then go back and talk to the customer about that.

Mr Blendis: Yes, we would suggest that we involve the police and assist in that investigation.

Q310 Bridget Phillipson: Is there a process whereby employees can alert you if they feel that suspicious activity is occurring on someone’s account, and how would that lead to action being taken?

Ms Steele: In Vodafone UK, we have a duty-to-report policy available to all our employees. They can alert through their line management, through the fraud, risk and security team, or through an anonymous whistle-blowing hotline if they have any concerns.

Q311 Steve McCabe: You have all made some sort of changes to try to improve security since this happened. How safe is the information from would-be hackers now?

Ms Steele: For Vodafone UK, the changes include that if our customers forget their PIN, they are no longer able to contact customer services and ask us to set it to a number of their choosing. We can set it only to a randomly generated four-digit number, and then the customer can personalise their PIN. They were then, and they are now, held in an encrypted format and cannot be read by anybody within Vodafone UK. If they are reset, that is sent directly to the handset user. Similarly, any failed attempts to access voicemail by using the wrong PIN would generate a text message to the user.

Q312 Steve McCabe: Are you fairly confident that the information is protected now?

Ms Steele: Yes, the PINs and the voicemails themselves are held on separate platforms, both of which are encrypted and not available to anybody.

Mr Gorham: I am confident with the level of security we currently provide in this area. Unfortunately, however, it is a fact of life that the criminals are always keeping one step ahead, so we have to keep sure that we are close alongside them and then we will put more features in place if required. As we stand at the moment, however, I am confident that we have a good level of security in place.

Mr Blendis: We have similar features. We also brought in a new feature after the investigation that if a PIN is changed on the voicemail account, a text is sent to the handset to notify the owner that that has happened.

Q313 Steve McCabe: I noticed one of you said earlier that you did not feel that you necessarily had any direct responsibility for what had happened to the customer. In view of the security enhancements you now have in place, do you have any responsibility for your customers now if their private communications are being heard?

Mr Blendis: The things that we have brought in were to respond to hacking and the assumed attempts of social engineering and suchlike to get PINs, so they are added developments that we think will protect against-

Q314 Steve McCabe: I guess what I am asking is: if I am your customer and my phone gets hacked, do I have any redress in relation to you?

Mr Blendis: If you are talking about a criminal fraudulent action, I think it would depend on what that was and how the intrusion occurred.

Q315 Bridget Phillipson: Presumably, you are not always talking about criminal gangs. It could be, as you talked about earlier, family disputes where someone may be looking to act-they might have the necessary information to try to impersonate someone or guess their PIN, or have access to their mobile phone. It could be that kind of dispute rather than a kind of criminal enterprise. Is that fair, in general cases?

Mr Gorham: Yes, that is correct.

Nicola Blackwood: I just want to take you back to some comments you made to Bridget Phillipson about employees and customers alerting you with concerns about abuses or hacking into their phones. I doubt that you have the figures here, but I wondered if you could write to the Committee to provide us with figures from the past five years about investigations that you have conducted into suspected hacking based on reports from employees and customers. It would very helpful to show a trend. Thank you very much.

Q316 Chair: Thank you for giving evidence. I think what this has shown is there has been a different approach taken by the mobile companies, but you are all very clear that you have not received a letter or any instruction from the Metropolitan Police telling you to do anything with or without your customers. Is that right?

Ms Steele: Yes.

Q317 Chair: You are still awaiting a letter from them-from 2 November. Are you still awaiting a letter from them?

Ms Steele: Yes, I am.

Q318 Chair: You are. Mr Gorham, you passed everything over to them so you are not waiting for any-

Mr Gorham: Yes, and we contacted our customers, so we have had no need to clarify.

Chair: My Clerk will be in touch with you after the meeting to explain what information we will require further. We are most grateful to you. Thank you very much for coming today.

Prepared 20th June 2011