Senior communications managers for the Police, the New Zealand Army, the Air Force, the Department of Internal Affairs, an advisor to Progressive Party leader Jim Anderton, Auckland Mayor Dick Hubbard and a Police CIB officer are among names on a list of prominent New Zealanders whose 027 voice mailboxes have been accessed by a teenage hacker.
The list included the name of the Inspector-General of the Security Intelligence Service, Paul Neazor. However, the hacker appears to have targeted the wrong man as the phone actually belongs to Neazor's son, who has the same name.
The names were contained in a message sent to Computerworld by the hacker, together with phone and voicemail PIN numbers for each person.
When contacted by Computerworld, Police communications manager Noreen Hegarty confirmed the PIN the hacker had beside her name was her real voicemail PIN. Another police communications manager, Jayson Rhodes, also said that the PIN on the list matched the PIN he uses. “You’ve thrown me a bit there,” he said.
Vince Cholewa, communications advisor for the Department of Internal Affairs, declined to say whether the PIN number given by the hacker was correct. “I don’t really want to discuss my PIN number,” he said.
Telecom public affairs manager John Goulter also refused to confirm his PIN when contacted by Computerworld.
Goulter says Telecom will be contacting its 1.5 million mobile customers and 1.4 million landline users, probably through TXT or voicemail messages. Asked whether Telecom can automatically disable the Optional PIN entry feature that the hacker has exploited, he says that would inconvenience many of its customers. “We would have to be certain that is a step that customers would want us to take,” he says.
Telecom takes the security of its customers’ voicemail seriously, Goulter says. “We’re putting every effort into making sure they are as safe as possible.”
Computerworld alerted Telecom to the vulnerability in its voicemail system on Wednesday. In a press release the following day, the company said it believed a voice mailbox had been accessed in an “isolated incident”, despite Computerworld’s warning that the hacker claims to have accessed the mailboxes of senior police and public figures.
Telecom customers can protect themselves by disabling the Optional PIN feature on voicemail accounts. By disabling the feature, an attacker is unable to access the account. Computerworld understands some Government departments and private companies have already started instructing their staff to disable the Optional PIN feature.
Customers who fear their accounts may already have been compromised should also change their PIN numbers — and PIN numbers for any other services, such as burglar alarms or online banking, if the same PIN number has been used.
[Editor's note: an earlier draft of this story identified Neazor as among the victims of the hacker. In fact, the hacker mistakenly accessed the voicemail of Neazor's son, who has the same name.]