The NY Times published an article on September 1st detailing how tabloid reporters in the UK gained access to celebrity voicemails. Using this access, the reporter were able to peek into the very private lives of public figures. (The articles can be found here).
Basically, the tabloid reporters built a list of celebrities’ cell phone numbers by working with private investigators. The reporters then went further and directly or indirectly gained access to the cell phone voicemail.
There were two different, very low-tech techniques that were used to get to the voicemails. The first one involved guess the 4-digit PIN associated with the voicemail. Often, this one succeeded when the default voicemail pin was used, since many people don’t seem to change their voicemail PIN.
The second method was a little more scary. The reporter would call the phone company and convince them to either reset the PIN or tell them the PIN for the voicemail. Either way, once they had the PIN, they could listen to voicemail messages on the cell phones.
Once the reporters started listening to the voicemails of the royal family, the police got involved. During their investigation, the police discovered a list of 91 cell phone numbers and associated voicemail PINs during a search of Glenn Mulcaire’s residence. (This search happened in 2006). Mulcaire was a private investigator working with Clive Goodman, a reporter at the “News of the World”.
Now the police were in tough position. They had a list of compromised voicemails. Should they notify all of the people on the list that their voicemails were potentially compromised? It appears from this article, the answer in the UK is no. The government was under no obligation to notify the individuals that their voicemails were compromised.
Would the laws in the US be different? After all, many states in the US have passed laws where private companies are obligated to notify affected parties when their security has been breached. By extension, would the police in the US be bound to notify people if their cellphone numbers and PINs were found on a list seized in the residence of a hacker? It appears from my discussions with those in the field that the answer is “no” here too.
This article points out a couple of very important issues:
First, voicemail security is weak while the contents of voicemail are interesting. It seems likely that the contents of voicemails might be interesting in a civil court proceeding or business negotiation. At a minimum, make sure that you have a PIN that is the not the default PIN. It probably makes sense to change it periodically as well.
Second, if the police have discovered that your voicemail was hacked as part of a broader investigation, keep in mind that it appears in the US that they are not under any obligation to notify you. Basically, it comes down to the fact that you alone are ultimately responsible for the security of your voicemail.