Cyber Security Factsheet
Vodafone Group Plc Cyber Security Factsheet 2023
1
Vodafone Group Plc Cyber Security Factsheet 2023
Introduction
Strategy
Governance
Risk management
Events
Introduction
Contents 02 Our cyber security strategy 02 Our customers Strategy
Highlights
Our role is to enable connectivity in society. As a provider of critical national infrastructure and connectivity that is relied upon by millions of customers, we prioritise cyber and information security across everything we do. Our customers use Vodafone products and services because of our next-generation connectivity, but also because they trust that their information is secure. Cyber attacks are part of the technology landscape today and will be in the future. All organisations, governments and people will be subject to cyber attacks and some will be successful. The telecommunications industry is faced with a unique set of risks as we provide connectivity services and handle private communication data. Our operating model is designed based on this knowledge and focused on how we prevent, detect and respond to attacks to minimise the impact. This factsheet provides detail on our approach to managing cyber risk at Vodafone, as well as how we protect our customers from cyber threats. Our cyber security strategy is aligned to the Company’s 2025 technology strategy and focused on the actions we need to take to protect our customers and society now and in the future.
Our vision
is a secure connected future for our customers and society through consistent cyber security baseline, global telemetry and deep expertise
Global scale
03 Operating model 04 Our cyber code 05 Governance Governance
Agile team
able to mitigate changing threat landscape
18.5 million
consumers and businesses use our cyber security solutions to protect themselves across our global technology function and 15 local markets
ISO 27001 certified
07 New technologies, industry practice and regulations 06 Identification of vulnerabilities and risks 06 Risk and Control framework Risk management
Independent testing
of our mobile networks every year
Training for all employees
with cyber incident simulations run with leadership teams
Videos
Scan or click to watch our cyber security experts summarise our approach to cyber security: investors.vodafone.com/videos Scan or click to watch our Chair talk about the importance of cyber security during a Board site visit: investors.vodafone.com/videos
Contribution to UN Sustainable Development Goals (‘SDGs’)
08 Cyber incidents Events
2
Vodafone Group Plc Cyber Security Factsheet 2023
Introduction
Strategy
Governance
Risk management
Events
Strategy
Our cyber security strategy Our vision is a secure connected future for our customers and society. We are motivated by a clear purpose to inspire customer trust and loyalty by providing sustained cyber security, ultimately contributing to a secure society and an inclusive future for all. Our cyber security strategy sets out how we plan to achieve these goals. It is aligned to, and forms part of, Vodafone’s 2025 technology strategy. Our cyber security strategy has six pillars. – Control evolution: Maintain and improve our security controls beyond the existing cyber security baseline with an adaptive and risk-based framework. – Secure by design: All products and services have security built-in whether we build them ourselves or buy them from vendors. – Dynamic Trust: Strong zero-trust security based on dynamic risk-based access which is frictionless for users, for example, multi-factor authentication and moving away from passwords. – Real-time data, real-time response: The next generation of our detection and response capability, more automated and based on advanced analytics. – Spirit of Vodafone & cyber culture: Engaging our people, nurturing our engineering community and Group-wide cyber security training and simulations. – Security for society: Collaborate widely to encourage standardisation, share intelligence, and engage on regulation. We review our cyber security strategy each year and align priorities to the budget cycle, so our operating companies are clear on the investment priorities for security.
Strategic pillars
Our customers We provide cyber security support to our customers through Vodafone Consumer and Vodafone Business. For Consumers, we offer our Secure Net service to help keep them and their families safe. Secure Net detects and protects against online malware, infections and viruses, provides smart alerts if a customers’ identity is compromised, and provides parents with advanced parental controls. At the end of March 2023, Secure Net was available to mobile customers in 10 markets and converged customers in a further 5 markets and had 17 million subscribers. Where Consumers subscribe to additional security products, such as Secure Net, there are also significant NPS benefits. We also provide cyber security support to our business customers through Vodafone Business. Our products and services help our business customers of all sizes protect themselves from the evolving cyber security threat landscape and adapt to a new model of security necessitated by the adoption of hybrid working. Our portfolio of cyber security solutions for businesses is available in 16 markets and has 1.5 million users. Our products and services leverage our global network and partnerships, such as those with Accenture, Palo Alto Networks, Trend Micro, and VMWare, to make enterprise-grade security services accessible to organisations of any size. For SOHO and SME customers our focus is on click-to-buy services covering mobile, endpoint and network security. We are also expanding our services to cover emerging challenges such as human risk mitigation, risk assessment and certification. For mid-market business customers, we offer a range of professional and managed services that provide support across the full spectrum of an organisation’s cyber security needs – assessing risk with vulnerability assessments; penetration testing and cyber exposure diagnostics; protecting the organisation with firewall management and phishing awareness campaigns; through to full scale managed detection and response, and breach response and forensics services. For larger and multinational organisations, Vodafone Business offers a range of network, endpoint and managed security solutions to enhance mobile and fixed portfolios in this segment.
Dynamic Trust
Security & Privacy by design
Real time data, real-time response
Security & Privacy for Society
Security & Privacy Control evolution
Spirit of Vodafone & cyber culture
Year ahead Our core priorities for the coming year include continuing to implement and maintain our cyber security baseline controls – particularly in respect of protecting against ransomware, software security and multi-factor authentication for customers. Key security programmes include modernising our security event monitoring and data analytics platforms, enhancing our coverage for managing privileged access to network and IT systems, and implementing dynamic risk-based access rights for our workforce. We will also continue to enhance our cyber security awareness programme for all employees. Read more about our training and awareness programme on page 4
Click or scan to watch a video case study on how Vodafone Business security solutions are helping a leading international law firm: v odafone.co.uk/business/why-vodafone/case-studies/dac- beachcroft-and-managed-security-services
3
Vodafone Group Plc Cyber Security Factsheet 2023
Introduction
Strategy
Governance
Risk management
Events
Governance
Operating model We have implemented an operating model based on the leading industry security standards published by the US National Institute of Standards and Technology (‘NIST’). The model is designed to reduce risk through constantly protecting, defending and improving our security. We have an in-house international team of almost 1,000 employees and we also work with third-party experts in specialist areas. Our scale means we benefit from global collaboration, technology sharing and deep expertise, and ultimately have greater visibility of emerging threats. Cyber security function Team Responsibilities Governance, Risk and Control – Oversee cyber risk management across the Group. – Define and ensure adoption of policies and controls and measure control effectiveness. – Identify and minimise supplier cyber risk. Strategy and Secure by Design – Define cyber strategy in line with technology function and Group strategies. – Ensure products, services and internal systems are secure by design. Cyber Prevent – Engineer, deliver and operate global security platforms and controls, driving continuous improvement. Cyber Defence – Perform threat intelligence & security testing, and detect events and attacks through 24/7 monitoring. – Respond to incidents to minimise the impact of security events on our business and customers. Local Market Teams – Responsible for managing and embedding cyber security in our local markets, including meeting local cyber regulatory and compliance requirements. Internal knowledge sharing We make sure that all our cyber security experts understand our cyber security strategy and how it translates to their daily work. As well as monthly all-hands meetings, we organise twice yearly Cyber Connect CyberCon events for our entire global cyber security team. The events include a recap of our strategy and achievements, messages from senior leadership, external industry speakers, collaborative breakout groups and technical track sessions to learn about cyber topics and best practice. We use technology to enable a hybrid experience with some attending in offices and some remote, but anyone from our global cyber security team is able to participate.
Our approach to cyber security
Our approach to cyber security is summarised in the following diagram and the accompanying video linked at the bottom of this page. In the video, cyber security experts from across a number of teams within the cyber security function explain our approach across the lifecycle: identify, protect, detect, and respond and recover.
R i
Measure & Assess Risk
Set Policy & Select Controls
l
Risk & Threat-based Security
Deploy controls, Maintain Systems
Monitor & Respond to events
y
P
Scan or click to watch our cyber security experts summarise our approach to cyber security: investors.vodafone.com/videos
4
Vodafone Group Plc Cyber Security Factsheet 2023
Introduction
Strategy
Governance
Risk management
Events
Governance continued
Our people Although the cyber team leads on detect, respond and recover, preventative and protective controls are embedded across all our technology and throughout the entire business. Every employee has responsibility for cyber security and must follow the Vodafone Cyber Code, be sensitive to threats and report suspicious activity. Embedded in our Code of Conduct, the Cyber Code is the cornerstone of how we expect all employees to behave when it comes to best practice in cyber security. It consists of seven areas where employees need to follow security good practice. Click to read more about Vodafone’s Cyber code in our Code of Conduct: vodafone.com/code-of-conduct Training and awareness programme Our cyber security awareness programme is delivered digitally via our internal social media platform, videos and webinars. In addition, we perform regular phishing simulations across all markets and functions to raise awareness and train employees, with a target to run two exercises in each market or function per year. We have recently upgraded our capability to
run multi-market simulations and in the most recent exercise, sent almost 90,000 emails to employees in nine European markets and a number of Group functions. Using a standardised phishing test allows us to compare responses consistently. Those who click on the link in the phishing message receive immediate training. Cyber security is included within our Doing What’s Right training programme and our latest module was translated for non-English-speaking markets during the year, having been launched in English last year. We are also about to launch a training manual for contractors. Training on our Code of Conduct and cyber security is included in our standard induction process for new employees, and we expect every employee to complete annual learning interventions when assigned. We have recently performed another round of incident simulations for our local market Executive Committees. Up to the end of FY23, we had completed simulations in Germany and UK and the remaining markets will be planned for FY24. The simulations provide CEOs and their teams a realistic and tailored experience of managing a cyber incident and exercising their responsibilities in accordance with our common approach.
Our Cyber Code In 2019, we launched the Vodafone Cyber Code (see page 55), which has been designed to simplify and explain the basic security controls to all employees. Embedded in our Code of Conduct, the Cyber Code is the cornerstone of how we expect all employees to behave when It comes to best practise in cyber security.
ALWAYS use multi-factor authentication for remote systems that hold sensitive information. NEVER allow unsupported end of life systems in Vodafone infrastructure, or release unsecured products or services. ALWAYS apply the latest security patches, close critical and high vulnerabilities and configure systems securely. NEVER click on links or download without knowing who it is from. Report suspicious behaviour. ALWAYS remove access when staff change roles or leave Vodafone. Secure privileged access and only use it for privileged tasks. NEVER share or reuse your passwords. Longer is stronger. ALWAYS classify, label and protect information you work with.
Click to read more about Vodafone’s Cyber Code in our Code of Conduct: vodafone.com/code-of-conduct
5
Vodafone Group Plc Cyber Security Factsheet 2023
Introduction
Strategy
Governance
Risk management
Events
Governance continued
Governance Management
Cyber governance structure
The Chief Technology Officer and Chief Network Officer are the Executive Committee members responsible for managing the risks associated with cyber threats and information security. The Cyber Security, Technology Assurance and Strategy (‘CTAS’) Director is responsible for managing and overseeing the cyber security programme on a day-to-day basis and reports to the Chief Technology Officer. Reporting to the CTAS Director are the heads of the global cyber security functions and markets or regions. The local cyber security leads are part of their local management teams and responsible for the cyber agenda in their market or region. The Cyber Risk Council Governance meeting (‘CRC’) takes place quarterly, is attended by the cyber security leads from each market and function and is chaired by the CTAS Director. The CRC approves policies and standards, monitors cyber risk and threat and oversees key programmes. The CRC is part of a wider governance structure which includes the Technology Audit and Risk Committee and ultimately the Board’s Audit and Risk Committee. Key risk indicators (‘KRIs’) for our most important controls and our security baseline are reported to senior management and the Executive Committee every month. Examples of KRIs include the results of independent network testing, aged vulnerabilities, patching, hardening and endpoint security status and incident metrics. This reporting provides a granular view of progress and risk reduction. The reports also include detail on the threat landscape, policy and risk updates, vulnerability and incident data, and programme updates. Board Cyber threats and information security are a major area of focus for the Board’s Audit and Risk Committee and detailed updates including threat landscape, incidents, security position, residual risk and security strategy and programme progress were provided by the CTAS Director twice during the year, most recently in March 2023. Several new Non-Executive Directors joined our Board over the last 12 months and as part of their induction process, the Chair and the new Board members visited our global Cyber Security Centre in the UK in March 2023. During the visit, the Non-Executive Directors met our cyber security experts and learned more about our strategy, approach, and how we reduce cyber risk through our operating model. They also received demonstrations of the systems and tools used by the cyber security team. Read more about the Audit and Risk Committee’s oversight of cyber security on pages 42 to 43 and 77 to 82 of our FY23 Annual Report
Management structure
Risk governance
Updated via ARC
Twice in FY23
Board
Audit & Risk Committee (‘ARC’)
Monthly
As required
Executive Committee
Group Risk & Compliance Committee
2-3 times per month
Quarterly
Technology leadership team
Technology Audit & Risk Committee
Weekly
Quarterly
Cyber Risk Council (includes all market & entity Heads of Cyber)
CTAS leadership team
The governance structure chart above shows the different teams and committees responsible for the management and oversight of cyber security risk at Vodafone. The white boxes in the top right of each red box indicate the typical frequency of cyber security updates provided to that particular team or committee during the year. The Cyber Security, Technology Assurance and Strategy (‘CTAS’) Director is responsible for managing and overseeing the cyber security programme on a day-to-day basis. Board-level committees provide effective oversight and review of processes to identify, manage and mitigate cyber security risk.
6
Vodafone Group Plc Cyber Security Factsheet 2023
Introduction
Strategy
Governance
Risk management
Events
Risk management
Identification of vulnerabilities and risks Cyber security is one of Vodafone’s principal risks. We understand that if not managed effectively, there could be major customer, financial, reputation, stakeholder or regulatory impacts. Risk and threat management are fundamental to maintaining the security of our services across every aspect of our business. We separate cyber security risk into three main areas of risk: – External: Attackers and criminals targeting our systems, networks, or people to conduct malicious attacks; – Insider: Accidental leakage of information or malicious misuse of access privileges by our employees; and – Supply chain: A supplier is breached or used as a conduit to gain access to our systems, data or people. To help us identify and manage emerging and evolving risks, we constantly evaluate and challenge our business strategy, new technologies, government policies and regulation, and cyber threats. We conduct regular reviews of the most significant security risks affecting our business and develop strategies and policies to detect, prevent and respond to them. Our cyber security strategy focuses on minimising the risk of cyber incidents that affect our networks and services. When incidents do occur, we identify the root causes and use them to improve our controls. Threat landscape As part of our risk framework, we gather intelligence on threats. The cyber threat landscape continues to be volatile across all sectors, with wide-ranging threat actors. This year, we continued to see an increase in cyber espionage and more sophisticated hacktivist activity following continued geopolitical instability. The ongoing war in Ukraine has remained a significant influence, with threat groups exploiting edge devices such as firewalls, routers and email servers. An emerging trend of ‘hybrid’ attacks (involving physical and digital security) has been reported by multiple organisations. Examples include the targeting of retail stores by cyber-criminal groups with the motive to perform account takeovers, SIM-swapping and credential harvesting. More generally, we are seeing attackers targeting users’ credentials as the main enabling method of compromising systems. Ransomware continues to be a significant threat to all organisations. We are aware of at least one ransomware threat actor group that has impacted multiple sectors for financial gain. One of our suppliers was impacted by this incident, and whilst there was no direct impact on Vodafone and no customer data was accessed, this was a clear example of the increasing threat within our supply chain.
During the coming financial year, we are developing a new framework we call ‘Cyber Adaptive Risk Management’ (‘CARM’). This framework will calculate residual risk based on specific threat scenarios, control effectiveness and the potential impact of incidents. We will continue to track the existing controls until this model is implemented in April 2024. Supply chain As well as monitoring control effectiveness within Vodafone, we oversee the cyber security of our suppliers and third parties with a dedicated team. At supplier onboarding, security requirements are written into contracts, and we determine the inherent risk of the supplier based on the service they are providing. We then assess their controls to understand the residual risk, which informs the frequency of review. We follow up on open actions and ensure security incidents are tracked and managed.
Hackers can attack any point of your supply chain
Hackers can exploit a wider attack surface than ever before
Our threat intelligence team use industry and external analysis to help shape our controls and drive actions. When we identify specific near-term threats, we respond with ‘Threat Action Groups’ who take fast mitigating action to avoid incident or risk impact, in a similar manner to how we respond to incidents. Risk and control framework Controls can prevent, detect or respond to risks. Most risks and threats are prevented from occurring and most will be detected before they cause harm and need a response. A small minority will need recovery actions. We use a common global framework called the Cyber Security Baseline and it is mandatory across the entire Group. The baseline is based on an international standard and includes key security controls which significantly reduce cyber security risk by preventing, detecting or responding to events and attacks. We have effectiveness targets for the key controls that are monitored and reported to senior management for each market every month. The framework is regularly reviewed and new controls or new targets identified each year.
Assurance A dedicated assurance team reviews and validates the effectiveness of our security controls, and our control environment is subject to regular internal audit. The security of our mobile networks is also independently tested and benchmarked versus other telecommunications operators every year to assure we are maintaining the highest standards and our controls are operating effectively. We maintain independently audited information security certifications, including ISO 27001, which cover our global technology function and 15 local markets. In addition, our markets comply with national information security requirements where applicable. All systems going live and those undergoing change are independently penetration tested and we complete approximately 1,000 penetration tests across Vodafone every year. We also perform adversary testing exercises using so-called ’red teams’ and will continue to expand our capability in this area in future years. Read more about our identification of cyber threat as a principal risk on page 53 of our FY23 Annual Report
7
Vodafone Group Plc Cyber Security Factsheet 2023
Introduction
Strategy
Governance
Risk management
Events
Risk management continued
New technologies, industry practice and regulations We adopt new technologies to better serve our customers and gain operational efficiency. For every technology programme, new or existing, we follow our Security by Design process, evaluating suppliers’ hardware and software, modelling threats and understanding the risks before designing, implementing and testing the necessary security controls. We anticipate threats will continue from existing sources, but also evolve in areas such as 5G, IoT, vendor software integrity, quantum computing and the use of artificial intelligence (‘AI’) and machine learning. Mobile networks Every new mobile network generation has brought increased performance and capability, along with new opportunities in security. As we deploy 5G core networks alongside our 5G radio networks, often described as 5G Standalone, we have updated our security standards to implement the latest 5G features in our core networks. We also test security in our radio networks using independent testing companies. Open RAN is a new way of building and managing Radio Access Network (‘RAN’) components within telecommunication infrastructure. Instead of purchasing all the components from one supplier, we use hardware and software components from multiple vendors and integrate these via open interfaces. Over time, this will create a more competitive landscape for telecoms equipment. We mitigate security risks by following our Security by Design process, identifying and mitigating threats with secure design and configuration.
Regulatory landscape We expect a significant increase in security regulation over the next few years as governments respond to the heightened cyber threat landscape, recognising that telecommunications operators provide critical national infrastructure. We engage directly with governments and industry partners to promote proportionate, risk-based and cost-effective solutions to security threats. We look to establish shared approaches to reinforce standardisation and regulatory frameworks that apply equally to all market participants. In the UK, we are implementing the provisions of the Telecoms Security Act which sets enhanced security requirements for UK network operators and their suppliers. In Europe, individual member states have their own current or pending legislation, however these incorporate EU-wide standards such as the 5G Security toolbox and the ‘Network and Information Security 2’ Directive. We continue to monitor the forthcoming EU Cyber Resilience Act which aims to ensure that all digital products and services fulfil the same mandatory security requirements. We are also monitoring the enhanced SEC cybersecurity disclosure provisions, which are expected to be published later in 2023.
Quantum computing As part of our efforts to track and monitor potential future threats to our networks, systems and customers, we are monitoring developments in quantum computing and its effect on encryption. Whilst such a risk is not specific to Vodafone, we have started work to address the potential negative effects and maintain a robust level of encryption that is quantum safe within our network and systems. We are also contributing to initiatives which support other industries. During the year, we formed a taskforce with IBM, the GSMA and other industry partners to work together on post-quantum cryptography. The taskforce has now published a whitepaper which summarises government initiatives and provides recommendations that can be applied to any industry. Industry collaboration More broadly, we actively engage with stakeholders, including industry and government, in order to protect Vodafone, respond to cyber threats and work together to share best practice. Given our expertise and extensive experience, we also engage with a wide range of organisations to help improve the understanding of cyber security thinking and practice, and contribute to public policy, technical standards, information sharing and analysis, risk assessment, and governance. For example, we have engaged in cross-industry collaboration through the European Round Table, where Vodafone chairs the CISO committee and via the National Cyber Advisory Board in the UK. We also participate and engage in security standards working groups such as ENISA 5G Cyber Security Certification, O-RAN Alliance Security Focus group and GSMA Fraud and Security Group.
Spectrum
Our networks
RAN equipment
Open RAN equipment
Technology centres
Mobile core and fixed networks
Radio base stations
Fixed and transport infrastructure
Wireless devices
Homes
Offices and data centres
8
Vodafone Group Plc Cyber Security Factsheet 2023
Introduction
Strategy
Governance
Risk management
Events
Events
Cyber incidents As a global connectivity provider, we are subject to a range of cyber threats. We use our layers of controls to identify, block and mitigate threats and reduce any business or customer impact. Where a security incident occurs, we have a consistent incident management framework and an experienced team to manage our response. The focus of our incident responders is always fast risk mitigation and customer security. In the event of a cyber breach, disclosure is made in line with local regulations and laws, and based on a risk assessment considering customers, law enforcement and relevant authorities. The European Union’s GDPR provides a framework for notifying customers in the event there is a loss of customer data because of a data breach, and this framework is a baseline across all our markets. Vodafone holds cyber liability and professional indemnity insurance policies. These policies may cover the costs of an information security breach, in whole or in part. Vodafone classifies security incidents on a scale (S0-S4) according to severity, measured by business and customer impact. We attribute root causes to incidents and use the information to improve our control effectiveness. The highest severity category (S0) corresponds to a significant data breach or loss of service caused by the incident. There have been no cyber incidents classified at this level in the past financial year, however there were two such incidents in the previous two years – Vodafone Portugal in February 2022 and Ho. Mobile in December 2020. A summary of these incidents and our response is included separately on this page. Even with an increased threat landscape, we have seen a gradual decline in the numbers of more severe incidents. We also track incidents at our suppliers and third parties. The frequency of such incidents is increasing. We contractually require our suppliers to report incidents and we manage these incidents as if they were internal. As an example, one such supplier incident was reported to the Luxembourg regulator in September 2021 due to its potential scope to impact the entire telecommunications industry. The supplier in question manages the netting of roaming charges between operators. There was a minor direct impact on Vodafone based on the investigation carried out by Vodafone and the supplier. Click to read more about how we manage risks from technology disruptions in our SASB disclosure: investors.vodafone.com/sasb
Previous cyber incidents
Vodafone Portugal (February 2022) In February 2022, Vodafone Portugal experienced a network outage caused by a deliberate cyber attack that was intended to cause disruption. No malware or malicious software was installed, and the attack method would be described as a ‘living off the land’ attack because it did not use any specialist tools. The attack relied on sophisticated social engineering, and a deep understanding of IT systems and networks. Investigations revealed that no customer data was accessed or compromised. No other Vodafone markets experienced any disruption from this incident. The outage affected the data network in Portugal. The impact was loss of some voice and data services, some TV services and enterprise and business applications across the country, as well as international connections. Home broadband and linear TV were unaffected by the attack. On detecting the incident, we utilised our global incident management framework and immediately took action to identify, contain further risk and restore services quickly. Mobile data services and interconnections with other operators were resumed within eight hours of the attack, with other services being recovered during the next 48 hours. The Vodafone Portugal CEO immediately and proactively communicated with customers, and the team used widespread online, social media and press information and articles to keep customers aware of our recovery progress. Our cyber security team worked with local law enforcement and security agencies during the investigation. During the incident, 4.7 million mobile and one million fixed line customers were impacted, with some customers having both services. While the network outage was significant, it was only classified as a severe network incident for 48 hours. The direct costs of the incident were estimated in the range of €5 million and were financially immaterial in the context of Vodafone Portugal’s operations and the wider Vodafone Group.
Ho. Mobile (December 2020) In December 2020, ho. Mobile, a second brand in Italy, suffered a data breach and part of a database holding customer data was accessed by a third-party; no financial information, passwords, or mobile traffic data relating to calls, texts or web activity was involved. We utilised our existing global incident management framework. Ho. Mobile took a proactive approach and immediately informed affected customers and regulators, enhanced security protections, remotely reissued SIM serial numbers to prevent any misuse, and offered free replacement SIMs to the entire customer base of 2.5 million. The data breach did not result in any disruption to our connectivity services and the remediation costs were not material to the Group. Ho. Mobile also notified local law enforcement and made the required disclosures to the Italian Data Protection Authority. At the time of the incident, Ho. Mobile used distinct and separate IT systems to Vodafone Italy and the rest of the Vodafone Group. It has since been integrated into Vodafone Italy infrastructure and processes.
Vodafone Group Plc Vodafone House The Connection
Newbury Berkshire RG14 2FN England Registered in England No. 1833679 Telephone +44 (0)1635 33251 vodafone.com
Contact details Investor Relations ir@vodafone.co.uk vodafone.com/investor Media Relations vodafone.com/news/contact-us Sustainability vodafone.com/sustainability
Online Annual Report vodafone.com/ar2023
Page i Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9Powered by FlippingBook