"These actions were a positive step to preventing any possible unauthorised access to the personal information held by Vodafone until such time as the allegations could be investigated," the report reads.

"By way of reaching a resolution to this matter, the Privacy Commissioner welcomes Vodafone's undertaking to improve its data security measures and requests that Vodafone report back to him about the outcome of its IT security review and progress of its implementation program."

In a statement, Vodafone Hutchison Australia (VHA) chief executive, Nigel Dews, said the telco had outlined "immediate action" taken to strengthen data security, including login identification and authentication processes, more frequent password resets, limiting approved access points for stores and dealers, and even more stringent monitoring and detection technologies.

"There were areas that needed improvement, which this incident highlighted," Dews said. "We responded quickly, took action with those employees involved who had shared passwords, and brought forward the implementation of a number of new security measures to better protect all customer information."