Weak authentication allowed imposter to hijack customer’s cell phone account

PIPEDA Report of Findings # 2012-004

---

The complainant learned that an imposter had contacted his cell phone service provider and used social engineering techniques to gain access to his cell phone account. During the call, the imposter obtained information from the customer service representative about the account, including billing and call-history information, and successfully made changes to basic account information, including the personal identification number (PIN) and the name and gender of the account holder.

Our Office’s investigation confirmed that a customer service representative (CSR) had disclosed the complainant’s personal information to the imposter, and that the CSR had failed to follow the company’s established authentication procedures, despite having successfully completed the standard company training to prevent such security breaches.

When the complainant became aware of what happened, he made his concerns known to the service provider. The service provider acknowledged the error, logged a record of the incident, and gave additional coaching in PIN and security protocols to the CSR who had disclosed the personal information.

The complainant also sought access to his personal information held by the company, including a recording and transcript of the fraudulent call. While the company was initially late in responding to his access request, it eventually fulfilled its obligations by sending the complainant a printed transcript and offering him the opportunity to listen to a recording of the call.

We found the complaint to be well-founded with regard to the disclosure issue, and well-founded and resolved with regard to the access matter.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

1. The complainant alleges that his cellular-telephone service provider (or “the company”) disclosed his personal information without his knowledge and consent to a caller who pretended to be the authorized holder of his cellular telephone account.

2. He also alleges that the service provider’s response to his request for access to his personal information was incomplete and inadequate.

Summary of Investigation

3. The (male) complainant had a cellular telephone account. One day, a female caller contacted his service provider about his account.

4. The caller claimed to be the authorized holder of the complainant’s account and stated that she had not yet received a bill from the service provider.

5. A customer service representative (“CSR”) attempted to authenticate the caller for the complainant’s account. The caller provided the CSR with the complainant’s cell phone number and residential address.

6. However, she did not know the Personal Identification Number (“PIN”) for the complainant’s account, the type of cell phone that his account number was associated with, nor the complainant’s date of birth. The caller also advised that the first name on the file was incorrect and she offered up a new spelling for it.

7. The CSR nevertheless proceeded to provide the caller with the following information from the complainant’s account:

1. The correct PIN for the account;
2. The latest billing date;
3. The latest payment date;
4. The latest bill amounts;
5. The latest payment amounts;
6. The number of minutes used;
7. The type of cell phone plan the complainant subscribed to;
8. The numbers for which the complainant requested directory assistance; and
9. The most recently dialed seven numbers.

8. In addition, during the call, the CSR officially changed the first name and the gender of the account holder in company’s records, to comply with how the caller identified herself.

9. When the complainant became aware of the changes to his account, he made his concerns known to his service provider. One of its team leaders followed up with the complainant to personally apologize. After reviewing a recording of the call between the CSR and the imposter, the team leader noted the infractions and requested the logging of a formal and internal record of the incident.

10. In its representations to this Office, the service provider stated that its CSRs receive 4-6 weeks of training on the importance of protecting client information and the proper procedures for avoiding accidental disclosures. Employees must also take additional online training, including training intended to develop awareness of, and resistance to, social engineering techniques. The CSR in this case had completed his training. Once training is complete, employees have full access to intranet resources.

11. According to the service provider, during calls, employees must follow a prescribed client validation process. We reviewed a copy of the service provider’s intranet resources, which describe the steps to follow for client validation.

12. Additionally, in other company documents that we reviewed, there are clear procedures prohibiting its employees from discussing call histories with callers or divulging to them specific telephone numbers that have been called from any given account.

13. The service provider informed this Office that as a result of the events of this complaint, the CSR who committed the infractions received additional coaching in PIN and security protocols.

14. After first approaching the company’s customer relations group and its executive offices, the complainant sent an email to the company’s privacy office, the intent of which was to request access to all memos, transcripts and notes from his cell phone account relating to the date on which the imposter had called the company about the complainant’s account.

15. Six weeks later, the privacy office replied by sending an email to the complainant, advising that his request had not been processed due to “confusion”. It advised him that it would send the content of four notes from his phone account for the requested date.

16. The service provider immediately sent the complainant a printed transcript of a call occurring between the alleged imposter and the service provider. However, the complainant asserted that the transcription had omissions.

17. A few days later, the complainant repeated his request for a complete transcript, and also requested access to a printed transcript and audio recording of another call, one occurring between a CSR and himself two weeks after the alleged incident.

18. The privacy office then spoke with the complainant by phone, informing him that it would send out a printed transcript of the original call between the CSR and the alleged imposter. The company also offered the complainant the opportunity to listen to a recording of that call at a designated location (the company’s premises).

19. The next day, the company sent the complainant an email containing a second copy of the printed transcript for the original call (with the CSR’s name redacted from it) and copies of notes from the same day, as well as notes from the call two weeks later between a CSR and the complainant. The company also explained to the complainant that, under the Act, individuals are only entitled access to their own personal information, and not to non-personal information such as personal information belonging to a third party.

20. The complainant did not arrange with the company to listen to a recording of the original call on the company’s premises. Instead, he filed the current complaint with this Office.

Application

21. In making our determinations, we applied Principles 4.3, and 4.9 of Schedule 1 of the Act, as well as section 10 and subsections 2(1), 8(3), 8(4), 8(5), and 9(1) of Part 1.

22. Subsection 2(1) defines “personal information” as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

23. Principle 4.3 requires the knowledge and consent of the individual for the collection, use or disclosure of personal information, except where inappropriate.

24. Principle 4.9 states, in part, that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.

25. Subsection 8(3) states that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

26. Subsection 8(4) allows an organization to extend the time limit (a) for a maximum of thirty days if (i) meeting the time limit would unreasonably interfere with the activities of the organization, or (ii) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or (b) for the period that is necessary in order to be able to convert the personal information into an alternative format. In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.

27. Subsection 8(5) adds that if the organization fails to respond within the time limit, the organization is deemed to have refused the request.

28. Subsection 9(1) requires that, despite Principle 4.9, organizations do not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the personal information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

29. Section 10 states that an organization shall give access to personal information in an alternative format to an individual with a sensory disability who has a right of access to personal information under this Part and who requests that it be transmitted in the alternative format if (a) a version of the information already exists in that format; or (b) its conversion into that format is reasonable and necessary in order for the individual to be able to exercise rights under this Part.

Findings

August 22, 2012

Disclosure

30. The complainant’s personal information was disclosed to the imposter who called the service provider and claimed to be the account holder. This event is not disputed by either the complainant or the service provider. The personal information disclosed included the complainant’s PIN as well as payment and calling history information for his cellular telephone account.

31. Principle 4.3 requires the knowledge and consent of the individual for the collection, use or disclosure of personal information, except where inappropriate. Since the complainant had not provided his consent for the disclosure of his information to the caller, Principle 4.3 was contravened.

Access

32. At issue is also whether the service provider provided the complainant with access to his personal information and, in so doing, respected its obligations under the Act.

33. Principle 4.9 of the Act requires that individuals be given access to their personal information. Subsection 8(3) specifies that an organization shall respond to a request for access to personal information with due diligence and in any case not later than thirty days after receipt of the request. Subsection 8(4) provides for the possibility of an extension under certain circumstances. Subsection 8(5) adds that if the organization fails to respond within the time limit, the organization is deemed to have refused the request.

34. The complainant did not receive a response to his access request from the service provider until six weeks after he sent his request. The intervening period is more than thirty days, longer than that allowed by subsection 8(3) to respond. The company did not attempt to extend the time limit by invoking any of the reasons from subsection 8(4). Therefore, pursuant to subsection 8(5), we are of the view that it refused the request since it did not respect the thirty-day time limit allowed. The company, by not providing access within the time limit, was thus in contravention of Principle 4.9.

35. Regarding the redactions that the company had made from the call transcript that it provided the complainant, we have reviewed those redactions and find them to be in compliance with subsection 9(1) of the Act, which requires an organization to sever personal information about a third party before allowing an individual access to their own personal information. The information redacted from the transcript (i.e., the CSR’s name) belongs to a third party.

36. As for the issue raised by the complainant that he was not provided with an audio recording of the conversation which took place between the imposter and the CSR, the Act provides individuals with the right to access their personal information. The Act does not, however, require an organization to provide access in a particular medium. Only under section 10 of the Act must an organization give access to personal information in an “alternative format” to an individual with a sensory disability and who requests that their personal information be transmitted in the alternative format. The complainant’s case does not fall within these circumstances. Rather, the company did provide the complainant with the call transcript containing the personal information, and to which he was entitled under the Act. It is, therefore, not required to further provide him with a copy of the recording.

37. The company did eventually provide the complainant with access to the personal information he had requested, thus upholding Principle 4.9.

38. We noted that the company adjusted the complainant’s account balance to zero as a goodwill gesture and also that it and the complainant have had exchanges over what is fair compensation in the circumstances. We encourage both parties to enter into direct negotiations with a view to resolving the compensation matter.

Conclusion

39. Accordingly, we conclude that the matter for the disclosure of personal information to a third party is well-founded under Principle 4.3. The access matter is well-founded and resolved under Principle 4.9.

Other

40. Our review concluded that the company’s employee training and on-the-job reference materials clearly describe – and prescribe – the procedures to be followed by employees to respect the confidentiality of personal information. These procedures include strict identification and authentication procedures before any personal information can be disclosed.

41. While security policies and procedures are essential, they are not in themselves sufficient to protect personal information from loss or theft. The effectiveness of security safeguards depends, in the final analysis, on the organization’s diligent and consistent execution of policies and procedures.

42. The current case underscores this reality since, despite recently completing his training in customer privacy, the CSR did not apply the company’s standard procedures expressly designed to maintain the confidentiality of customer personal information.

43. In April 2012, The Federal, British Columbia and Alberta Privacy Commissioners released Getting Accountability Right with a Privacy Management Program, a guidance document for private sector organizations. It offers them the necessary insight and guidance to develop a privacy management program that respects accountability requirements of Canadian privacy laws.

44. In light of the revelations of our investigation into this complaint and towards strengthening compliance with the Act, we are recommending that the company consult this document to review its own privacy management programs, policies and procedures, including those relating to safeguards and employee training.