Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Dell improves security and complaint handling practices following breaches and OPC Investigation

PIPEDA Findings #2020-003

July 9, 2020

Complaint under the Personal Information Protection and Electronic Documents Act (PIPEDA of the Act)

Description

After receiving a “tech support scam” call, two Dell customers complained that their personal information was disclosed to fraudsters and that Dell would not take their concerns about a breach seriously. Dell discovered that two employees of its service provider sold customer information on two separate occasions. Dell took a number of remedial measures including changing service providers, improving its security protocols to better deal with insider threats and revising its complaint and breach handling procedures.

Takeaways

  • Organizations should adequately investigate all credible complaints about potential breaches.
  • When assessing the sensitivity of personal information, organizations should also consider the risk environment and the potential harm to individuals in the event of a breach.
  • Robust security safeguards should be in place to deter employee theft of personal information including stringent access controls and logging and monitoring practices.

Overview

Two Dell customers complained that they received calls from fraudsters who knew certain personal information of the complainants including information pertaining to their Dell products. The complainants alleged that Dell had insufficient security safeguards that resulted in the inappropriate disclosure of customer information. The complainants were also dissatisfied with how Dell responded to their complaints about a privacy breach.

At the time of the complaints, Dell used a Service Provider (the “Provider”) to deliver support for its customers in a call centre located in India. Two employees of the Provider inappropriately disclosed Dell customer data lists in June and November of 2017. Dell is unaware what information was disclosed in the June 2017 breach, but both complainants had their personal information breached in November 2017.

Dell remained responsible for the personal information transferred to the Provider (Principle 4.1.3) and was obligated to ensure that the Provider protected the information with security safeguards appropriate to the sensitivity of the information (Principle 4.7).

We are of the view that the personal information transferred to the Provider was sufficiently sensitive to require a high degree of protection having regard to the nature of the personal information involved, the risk environment and the potential harm to individuals in the event of a breach. We found that certain safeguards related to access controls, logging and monitoring, and technical controls were insufficient given the sensitivity of the personal information at issue. We also found that Dell failed to adequately investigate the circumstances of the June 2017 breach and failed to adequately respond to customer complaints (Principles 4.7, 4.10.4).

Dell instituted numerous enhancements to respond to our recommendations. We therefore consider the matter well-founded and resolved.

Complaint

  1. The Office of the Privacy Commissioner received complaints from two individuals alleging that Dell Inc. (“Dell”) had insufficient security safeguards that resulted in the unauthorized disclosure of their personal information. The complainants were also dissatisfied with how Dell responded to their complaints about a potential breach of their personal information.
  2. Specifically, both complainants alleged that they received telephone calls from fraudsters purporting to be Dell employees and who had in their possession certain personal information about the complainants and their Dell products. One of the complainants was deceived into providing the fraudster with remote access to her laptop computer and a $100 payment. The complainants believe that the fraudsters could only have obtained their personal information from Dell.
  3. When raising these issues with Dell, the complainants were unsatisfied with Dell’s apparent refusal to investigate a potential privacy breach.
  4. The investigation therefore focused on Dell’s safeguards and its investigation of privacy-related complaints.

Background

  1. Dell is a multinational technology company and, in addition to other technology related business lines, is arguably best known for selling computer hardware products such as laptops, monitors and printers to consumers and businesses. Dell offers warranties and support services for its products.
  2. From 2008 to 2018, Dell used a specific third party company (the “Provider”) to provide technical support services to Dell customers. The Provider is a large, multinational company, which operates call centres around the world including in India where the breaches at issue in this investigation took place.

Targeted tech support scams

  1. “Tech support scams” have been a perennial problem plaguing individuals for many yearsFootnote 1. Scammers will call individuals and pretend to be employees of a certain company, usually referencing well-known technology companies such as Microsoft, Google or Apple. The scammers will then try to trick the individual into thinking there are problems with their computer in order to obtain payment for fake computer help. The Federal Trade Commission (the “FTC”) in the United StatesFootnote 2 has warned about these scams for several years as well as certain agencies in CanadaFootnote 3. In an early blog post from 2015, Dell noted customers should “Watch Out for Tech Support Phone Scams”Footnote 4.
  2. In 2016, Microsoft published a global survey showing that two in every three people had been exposed to a tech support scam in the preceding twelve months and estimated that Americans lose around $1.5 billion to tech support scams every year, with 86% of them originating in India.Footnote 5 Microsoft has indicated that the harms which can arise from these scams are often more than just monetary but also include lost time and stressFootnote 6.
  3. At issue in these complaints is a variant of the tech support scam where scammers use personal information relating to an individual’s relationship with a technology company (e.g. a warranty number, service tag) to convince the victim that they represent the company in question. Having this information, which generally only the victim and the company should know, increases the effectiveness of the scam. The complainants in this case both describe receiving several such calls that were specifically targeted to them because the fraudster also possessed certain Dell related customer information about them.

Summary of Investigation

Complainant A

  1. The complainant stated that she received a call in July 2017 from a person claiming to be a Dell representative. According to the complainant, the individual knew her name, phone number and email address. He also provided her with the following accurate information about her Dell product: the model name of her laptop computer, her service tag and express service codeFootnote 7, the expiry date and the type of warranty attached to her Dell computer. The caller also provided her with the date of her last service call to Dell (which was in May 2017).
  2. The individual, posing as a Dell employee, indicated that her computer contained child pornography and that he would need $100 in order to clean it. He also requested remote access to her computer.
  3. According to the complainant, she was convinced that the phone call was legitimate since the individual knew so much information about her, her computer and her interactions with Dell. She therefore provided the individual with remote access to her computer and $100 using an Apple iTunes card. The fraudster subsequently installed malicious software that required the complainant’s computer to be re-formatted.
  4. The complainant’s father, who had purchased the Dell computer for his daughter, also reported receiving two more calls in October 2017 from fraudsters posing as Dell employees who had the same information about his daughter’s computer and even more detailed information about the specific warranty he purchased. In those instances, the callers claimed that there were problems with his computer.
  5. The complainant’s father immediately advised Dell about these calls and requested that Dell urgently warn its customers about a potential breach. The complainant’s father made numerous calls to Dell’s service number, which were handled by the Provider in question. Repeatedly, the complainant’s father was advised that Dell’s systems were secure and he was provided with standard language about the prevalence of computer tech scams in general and referred to the FTC in the United States. The complainant’s father also subsequently had a number of communications with Dell directly about the issue. However, according to Dell, despite repeated efforts it was not able to make the link between the scam call and Dell information because according to Dell, the service tag number and other information provided by the complainant’s father was “incorrect”.
  6. Unsatisfied with what he described as Dell’s inaction on a potential breach, he filed a complaint on behalf of his daughter with our Office in August 2017. He also noted that numerous other people in online forums were complaining of the same issue that appeared to have been ongoing for several years.
  7. While its communications with the complainant’s father were continuing, Dell was notified that its Provider had suffered a breach in November 2017. In particular, Dell discovered that an employee of the Provider had exfiltrated a list containing customer personal information and sold it to a third party. Dell later discovered that the exfiltrated list included the complainant’s name, email address, telephone number, Dell product service tag number and service request number.
  8. Dell also stated that during its investigation into the November 2017 breach, a second employee also admitted that in June 2017 he had physically removed data and sold it. However, Dell stated that it is unaware what personal information was taken at that time.
  9. In April 2018, Dell sent an email to individuals affected by the November 2017 breach, including the complainant. The email stated that Dell “had determined that scammers claiming to work for Dell have some basic information related to your Dell services history (such as customer name, email address, Dell product information, Dell service tag or Dell support history)”. The email included tips on how customers can identify and protect oneself from a scam. However, no express mention was made of either the June or the November 2017 breaches.
  10. We note that, at this time, the breach notification provisions of PIPEDA were not yet in force.Footnote 8
  11. Dell indicated to our Office that, notwithstanding the breaches in June and November 2017, it investigated the matter and found no evidence that the call received by the complainant in July 2017 originated with information obtained from Dell. In Dell’s opinion, if the complainant received such a call, it believes it was because of an untargeted and random “tech call scam” or that the scammers obtained the information from other sources. Further, Dell submitted that the complainant “should have known that the call was a scam” and that despite a number of indicia that it was a fraud (e.g. Dell did not call their customers unsolicited) the complainant “still fell victim to it.”

Complainant B

  1. The complainant alleges that he received a number of harassing calls from individuals claiming to be from Dell starting on January 1, 2018. While the complainant advised that he recognized that these individuals were “scammers”, he was nonetheless concerned by the amount of personal information that these individuals had about him. Consistent with the facts relating to Complainant A, the callers could correctly identify: his name, phone number, computer service tag number and details of previous service interactions with Dell. For instance, the complainant noted that the scammers were able to advise him of the specific date in which he had opened a service call related to an audio problem with his Dell product.
  2. The complainant stated that he was a “computer tech and the scammers almost convinced [him] to cooperate with them based on the information they had. I can't imagine what would happen with a regular every day Joe.”
  3. The complainant contacted Dell about the potential data breach and despite trying to escalate the matter, he indicated that Dell seemed to be “sweeping it under the rug”. He also noted that while researching this issue online, many other people complained about similar situations whereby these scammers possessed certain Dell related data.
  4. After filing a complaint with our Office in February 2018, and acting on this Office’s recommendation, the complainant contacted Dell’s Privacy Office about his concerns. In April 2018, the complainant received the email, referred to in paragraph 16, sent by Dell to individuals potentially affected by the November 2017 breach.
  5. Dell confirmed that the complainant’s personal information was also on the customer list that was exfiltrated in the November 2017 breach.

The June and November 2017 Breaches

  1. The Provider first notified Dell at the end of November 2017 of a breach involving its employees. According to Dell, on November 4th, 2017, the Provider’s “Data Leakage Protection System” software alerted the security team to an email sent by an employee with a large file attachment “possibly containing customer information” which was being sent outside the organization. The Provider intercepted the email but upon further investigation into this breach, also discovered that the employee in question had on other occasions, inappropriately emailed customer lists to his personal email address. These emails were of a smaller size and therefore did not trigger the data leakage protection system. Dell did not specify the exact dates of these emails.
  2. According to Dell, these emails contained the personal information of approximately 7,883 Canadian Dell customersFootnote 9. The emails contained lists that included names, telephone numbers, email addresses, product service tag and service request numbers. The employee admitted to selling the information to a third party.
  3. Dell also advised that the employee was working with another employee who was also interviewed because of the November breach. This employee admitted that in June 2017 he also collected customer information and sold it to a third party. In this instance, the employee stated he used physical means to remove data lists from the premises. However, Dell indicated that it was unable to determine which means were used and none of the Provider’s security safeguards was triggered by the breach. The Provider was unable to recover any of the information breached during this incident. Dell indicated that, as a result, it was unaware which customers were affected or the scope of the personal information involved.
  4. Dell initially stated that the two employees had accessed the data lists in question as part of their regular work duties. Dell advised that one of the employees was a manager and therefore had permission to create and build reports and then later clarified that actually both were managers but the individual who attempted the large file exfiltration in November 2017, was a second level manager with specific rights to create reports with Dell customer information. The other employee, who confessed to the June 2017 breach, was a lower level manager who had only limited read access rights and therefore allegedly “needed a co-conspirator with elevated access rights” to build reports with Dell customer information.
  5. Dell advised that upon being notified of the incident, the employees were suspended and following an investigation that culminated at the end of March 2018, they were subsequently fired.

Reports of targeted tech support scams prior to November 2017

  1. Dell stated it is confident that there were no other incidents of exfiltration of data in the years preceding the incidents described above. Dell indicated that its investigation went back in time and found no evidence of exfiltration. Dell also pointed to the data protection agreements and policies it had in place and stated it had not received “any data security incident notice or security alerts from (the Provider’s) information security team of potential exfiltration or theft by (the Provider’s) employees.”
  2. Contrarily, both complainants pointed to their own online searches which found Dell customers complaining since 2015 about receiving similar scam calls by individuals who knew detailed personal information about them and their Dell products. Our own online review confirmed the same. For instance, in response to a Dell blog posting from December 2015, commentators indicated that in some cases the scammers were aware of previous calls to Dell’s warranty number. Similar to the incidents subject to this investigation, many individuals stated that they were convinced that Dell had some sort of data breach due to the amount of personal information the scammers had about them which included email addresses, phone numbers, computer models and service tag numbers.
  3. An Ars Technica article from January 2016 also outlines the concerns of a data breach at Dell quoting multiple complaints filed with Dell’s support forums and Dell not seemingly addressing these concerns.Footnote 10 A follow-up article from Ars Technica in June 2018Footnote 11 laments that “more than 30 months after surfacing, a tech-support scam targeting Dell computer owners continues to raise questions about how the callers know sensitive information, including PC serial numbers and the names, phone numbers, and email addresses customers gave to the PC maker”. Another article from 2016, discusses the experiences of another customer with similar concerns and how he tried to report it to Dell but during a series of phone calls, none of the Dell representatives he spoke with offered to “relay his problem to someone further up the food chain.”Footnote 12
  4. Dell stated to our Office that when customers complained about these concerns via its online complaint form, Dell gathered and analyzed the information for investigative leads. Dell insisted that it monitors trends in activity and specifics of the types of scams and “where there is a rise in scam activity in the industry, Dell has done the responsible thing and notified its customers about such scams and how to prevent falling victim to them - even though such scams may be wholly unrelated to Dell’s activities, products, or security safeguards.”
  5. When our Office asked Dell whether it received complaints or notifications about potential privacy breaches from Dell customers or from Dell’s service providers, Dell advised that it has received over a thousand scam call reports from Canadians since 2015, with reports jumping from 9 in 2015 to 667 the following yearFootnote 13. Furthermore, according to Dell, between June and October 2017 there were 26 Canadian reports where customers specifically stated that the scam caller had Dell customer information. Between November 2017 and November 2018, 32% of the 402 reports received by Dell, made express mention that the scammer had Dell information.

Dell’s safeguards

  1. According to Dell, in order to provide warranty related and technical support services on behalf of Dell, the Provider’s employees, who were technical support agents, required access to certain Dell customer information such as contact details, Dell product models, warranty information as well as prior product support services information.
  2. Dell indicated that it had in place adequate security safeguards at the time of the June and November 2017 breaches including contractual obligations with its Provider ensuring the provision of appropriate physical, organizational and technical safeguards.
  3. According to Dell, customer information was accessed through a secure customer management system portal and was based on the technical service agent’s role and responsibilities. Dell stated that “additional access safeguards include[d] limiting the number of users, restricting availability of certain personal information available and limits on the number of people who can access and develop reports.”
  4. Dell also indicated that the Service Provider used “Data Leakage Protection System” software which scan[ned] outbound emails for potentially confidential information (e.g., long strings of numbers such as Social Insurance Numbers, credit card numbers, etc.). The systems in place also enabled the capture of query activity for Dell customer information in order to support forensic investigations.
  5. Physical protections included metal detector screening for all of the Provider’s employees and the requirement for them to keep personal possessions in lockers outside of active labs.
  6. We reviewed copies of the contracts which Dell had in place at the time of the breach including an “Information Privacy and Security Schedule” (the “Schedule”) dated March 2009 which formed part of the broader contract between Dell and the Service Provider. Dell also provided us with a Data Protection Agreement (the “DPA”) which was not in effect at the time of the breaches at issue.
  7. The Schedule included a separate Canadian addendum which required the Provider to “use reasonable physical, organizational and technological security measures that are appropriate having regard to the sensitivity of the information to protect such PII [personally identifiable information] against loss, theft and unauthorized access, disclosure, copying, use, modification or disposal …”
  8. In addition, the Canadian Addendum required the Provider to:
    • restrict logical and physical access to personal information to authorized employees;
    • refrain from printing, saving, copying or storing any personal information except temporarily when needed for business purposes;
    • refrain from removing or transmitting any personal information except with permission of Dell and if doing so, to ensure the use of secure encryption technology.
  9. The Schedule also required the Provider to implement certain controls including authentication and access control mechanisms over Data and personnel security and integrity controls including background checks. The Provider was required to deliver annual training to employees, personnel and/or subcontractors on how to comply with the Provider’s physical, technical, and administrative information security safeguards.
  10. Dell also had the right to request a copy of the Provider’s security standards, policies and guidelines related to data and can perform an audit, assessment, examination or review in relation to the Data being processed.
  11. The Schedule also required the Provider to report security breaches to Dell within 12 hours after the Provider becomes aware of them, which also included the requirement to report complaints related to alleged breaches or the general privacy practices of the Provider.
  12. Dell also stated that it engaged in periodic audits of the Provider’s security measures to monitor the effectiveness of these measures. Dell stated that it undertook an onsite audit focusing on access rights policies, between February and November 2016, of the Provider’s facility in India where the two employees implicated in the June and November 2017 breaches worked. Dell asserted that no significant non-compliance issues were uncovered during that audit.
  13. According to Dell, the Provider also retained an independent third party to conduct a forensic analysis of certain employee systems between November 2016 and March 2017, including its employee systems in which it looked for signs of employee theft. The external forensics expert, according to Dell, did not identify evidence of data theft activity in relation to these systems.
  14. Dell also indicated that it undertook two additional onsite audits in April and August 2017 of other locations in India and again, found no significant compliance issues.
  15. Dell has asserted that, despite these safeguards, it could not prevent a scenario where two employees of its Service Provider with appropriate role-restricted authorized access committed a criminal act of theft. It maintains that the exfiltration was detected and mitigated promptly.
  16. Nevertheless, after November 2017, Dell also indicated that, in conjunction with the Provider, it implemented a number of changes to its safeguards in light of the breaches that occurred, including:
    1. reducing the number of authorized users that could create reports containing customer information by 75%;
    2. reducing the number of individuals that could access the customer information database to only three individuals, one per shift, at the location where the breaches occurred;
    3. creating two new categories of access rights that did not allow access to customer-specific information; and
    4. deactivating all USB or other removal storage device capabilities from employee desktops.
  17. While our investigation was ongoing, Dell indicated that it had decided to cut its ties with the Provider and that it had moved to two other service providers.

Analysis

  1. Dell has admitted that the personal information of both complainants was breached in November 2017, along with the personal information of 7,883 other Canadians. Dell also admitted to a prior breach in June 2017 but claims no knowledge as to its extent or what personal information was implicated in this earlier incident.
  2. While Dell disputed that the targeted tech scam call Complainant A received was the result of any breach it suffered, we note that Dell had no basis for such a dispute, and has no knowledge of the scope of the June 2017 breach. We therefore do not see how Dell can rule out that this breach implicated the complainant’s personal information especially when they admit that the same information belonging to the complainant was in fact breached in November 2017. Dell has also not provided a convincing rationale as to how the caller would have had access to Dell customer information, including, for instance, past interactions with Dell.
  3. In any event, it is clear that both complainants’ personal information was implicated in the November 2017 breach and that additional customer personal information was also disclosed in an unauthorized fashion in June 2017.
  4. At issue in these complaints therefore is whether Dell adequately safeguarded the personal information under its control from inappropriate disclosure while using the services of a service provider for business purposes.

Safeguards

  1. The Act affirms that Dell remains responsible for its customers’ personal information while it is being processed by a service provider. Principle 4.1.3 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization is required to use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
  2. Principle 4.7 provides that organizations are required to protect personal information by security safeguards appropriate to the sensitivity of the information. Under PIPEDA, a meaningful assessment of the sensitivity of the information is context-based and includes an analysis of the information at issue, the foreseeable risks at hand and the potential risks of harm to individuals from unauthorized access, disclosure, copying, use or modification of the information.Footnote 14
  3. In addition to sensitivity, Principle 4.7.2 states that the nature of the safeguards will also vary depending on the amount, the distribution, and format of the information and the method of storage. Principle 4.7.3 states that organizations should use physical, organizational and technological measures to protect personal information.
  4. We are of the view that the personal information which Dell transferred to its Provider is sensitive having regard to the nature of the personal information involved, the high risk environment and the potential harm to individuals in the event of a breach. The information at issue consists of customer names, contact details including their phone numbers and email addresses as well as specific details regarding their Dell products and interactions with Dell’s technical support advisors. While this information combined together has a certain degree of sensitivity given the various data elements, the sensitivity is further heightened by the known risk environment and the potential resulting harms from a breach.
  5. Dell was well aware of a heightened risk environment posed by the proliferation of not only tech support scams, but targeted tech support scams where the fraudsters impersonated employees and used customer personal information to trick their victims. In addition, Dell’s Provider operated its call centres in India where reports indicated that many of the tech support scam calls originated. It would therefore be foreseeable that fraudsters, operating in this realm, would find legitimate Dell customer information to be extremely valuable and appealing. Having access to not just the names and contact information of actual Dell customers but also information pertaining to their Dell products and recent transactions, would allow tech support scammers to better target and deceive their victims in the pursuit of their fraudulent activities.
  6. Furthermore, the potential harms resulting from a breach of Dell customer information in this context can be significant and real. Complainant A suffered financial harm coupled with the stress and inconvenience of reformatting her computer to ensure her private files were not lost. As the Microsoft report highlights, tech support scams are a lucrative, billion dollar industry where victims often suffer not just from financial harm but also from stress and anxiety.
  7. In this regard, we do not agree with Dell’s implicit assertion that Complainant A was ‘to blame’ for falling victim to the fraud. It is entirely understandable that an individual would trust a caller who has access to personal information that only Dell would reasonably know. In any event, it is disconcerting that Dell, after having suffered at least two known breaches, would attempt to shift responsibility in this way to its customers who were the innocent victims of these scams.
  8. For the reasons noted above, we conclude that the information at issue is particularly sensitive and therefore we would expect Dell to ensure that its Provider had in place stringent security controls to safeguard its customers’ information in light of its risk environment.
  9. Dell maintained that it had in place robust data protection safeguards with its Provider and insisted there was little it could have done to prevent these breaches by certain rogue employees of its Provider. While we note that Dell had in place a number of security safeguards, our Office is of the view that safeguards were lacking in the following distinct areas: access controls; monitoring and logging; technical measures and breach investigation.

Access controls

  1. First and foremost, it is not clear why so many employees had the ability to access and build detailed customer reports containing personal information. Dell pointed to the fact that the Provider had role-based access controls and that only “higher level” managers were granted special access to build reports for necessary business purposes. Yet, following the November 2017 breach, Dell confirmed that it reduced the number of employees that could build reports containing customer information by 75%.
  2. In addition to building reports, there was also the ability to access reports already created. After November 2017, Dell also significantly reduced the ability of most employees to access reports containing customer information through the creation of two new categories of access rights that permitted access to reports containing only non-customer specific information. As such, we find that both the ability to access and create reports was clearly greater than it needed to be.
  3. Secondly, it was not clear why Dell allowed and authorized the creation of such detailed customer reports with numerous data elements, including the contact information of Dell customers. Dell may have dismissed this information as being non-sensitive yet these reports were extremely valuable to the tech support scammers as noted by the fact that the rogue employees had sold these lists to fraudsters. More care should have been taken to ensure that the least amount of personal information is made accessible to employees as required to carry out their job-related functions. We note that in 2018, Dell started to mask personally identifiable information, such as phone numbers, from personnel who did not have a demonstrable need to see it.

Logging and Monitoring

  1. We found no evidence that there was a logging and monitoring process in place to detect anomalous employee requests for customer information (for example a high volume of report builder requests). Given the sensitivity of the information contained in these reports, an active monitoring process should have been in place to oversee, manage and review employee access at regular intervals. We found no evidence that Dell regularly monitored access by the Provider to its own system nor did we see evidence that the Provider regularly monitored access rights of its own employees.
  2. While Dell points out that its Provider had a software monitoring system which scanned emails for large attachments and lists containing strings of numbers, we note that this system was easily circumvented in the November 2017 breach by the employee sending smaller batches of attachments. These smaller attachments allowed him to exfiltrate personal information for thousands of customers without the Provider’s systems being triggered.
  3. Regarding the June 2017 breach, Dell admitted that the exfiltration did not trigger any of its systems and that it was not able to detect any trace of the exfiltration.

Other Technical Measures

  1. Dell was clearly operating in an environment where it was aware of the risk of theft of information by employees of the Provider and had in place some measures to mitigate this risk, including for instance metal detector screening and lock boxes for personal items.
  2. In this environment, we were surprised, however, that it only restricted the use of USB drives in employee workstations after it became aware of the breaches in question. In previous investigations and guidance, our Office has warned of the risks associated with using portable storage devices and have advised that portable storage devices should only be used as a last resort to store or transfer personal information, and only if it is demonstrably necessary to fulfill a specific and documented purpose.Footnote 15
  3. Based on the evidence presented, we were not satisfied that Dell had put in place sufficient measures to ensure that USB drives were not used as a means to exfiltrate personal information by employees.

Breach investigation

  1. A critical organizational measure to safeguard personal information is the prompt and thorough investigation of a breach, including allegations of a breach. Once notified of a potential breach, an organization must use reasonable efforts to ascertain whether a breach occurred and, if so, its causes, otherwise potential vulnerabilities remain unaddressed.
  2. In addition to Principle 4.7, we note that Principle 4.10.4 states that an organization shall investigate all complaints. If a complaint is found to be justified, the organization shall take appropriate measures, including, if necessary, amending its policies and practices.
  3. A prompt and thorough investigation into complaints, and in the case at hand, credible complaints about potential breaches, is not only necessary to identify potential vulnerabilities related to security safeguards but also ensures that remedial measures are quickly taken. Often times the customer or someone outside of the organization, is the first to alert an organization to unusual behaviors indicative of a data breach and therefore each credible complaint should be investigated. If complaints are ignored, dismissed or inadequately investigated, the problem will persist and in the case of insider threats, the perpetrators will continue their activities undetected and face no repercussions.
  4. Dell argued that it thoroughly investigated all complaints received by the public including those from the complainants. Yet in reviewing how Dell handled the complaint from Complainant A about a targeted fraud call, which was consistent with the experiences of many other Dell customers as chronicled in paragraph 30-31 of this report, we find Dell’s investigation to be inadequate.
  5. When Complainant A’s father first contacted the Provider with his concerns, he was informed that there were no security issues. He was referred to the FTC’s page describing general tech support scams and encouraged to follow-up with that organization. Complainant A’s father then continued to proactively raise his concerns with Dell.
  6. While Dell indicated that it attempted to verify Complainant A’s information, it stated it was hampered in its investigation because of an incorrect service tag and other information provided by the complainant’s father. We note, however, that in its representations the service tag that Dell identified as the “correct” one is the same as the one that the complainant’s father provided in his initial complaint to Dell. We also note that both the service tag and the phone number provided by the complainant’s father in his initial complaint match that associated with Dell’s records of its service calls with Complainant A in May 2017. In the circumstances, we fail to see how Dell, a sophisticated technology company, could not use this information or other information such as name, email address, and product information to make the correct and apparent linkages.
  7. Dell’s inadequate investigation into Complainant A’s complaint is particularly problematic given that her complaint came after the June 2017 breach but several months before the November 2017 breach. Had her complaint, and potentially those of others that were made in the June to November 2017 timeframe been investigated more thoroughly, there would have been a greater chance of preventing the November 2017 breach.
  8. We also find it troubling that Dell did not take further steps once it became aware of the June 2017 breach to ascertain how the breach occurred and its scope. In the circumstances, simply knowing that the breach occurred by “physical means” reveals little and did not provide sufficient information to determine what other measures should have been put in place to prevent similar breaches in the future. Even though the employee in question was terminated, the same means could potentially have been shared with, and used by, other employees. Dell indicated that the Provider’s investigation could not uncover evidence that the information was exfiltrated via the Provider’s network, but Dell did not explain why it was unable to determine how the breach occurred and its scope or that it exhausted all reasonable attempts to do so. Based on the evidence before us, we were not satisfied that Dell took reasonable steps to determine the circumstances of the June 2017 breach.

Recommended actions

  1. In our preliminary report, our office recommended that Dell put in place the following measures with respect to its obligations under 4.10.4 and 4.7:
    1. Implement procedures to ensure that complaints by individuals who contact Dell or its service providers alleging their personal information has been breached, are investigated thoroughly and appropriately;
    2. Ensure that Dell and its service providers’ customer service representatives receive adequate training with respect to Dell’s obligations under the Act and how to respond to privacy complaints;
    3. Put in place procedures to ensure that the circumstances of a breach are adequately and thoroughly investigated; and
    4. Ensure that Dell has in place logging and monitoring to detect abnormal and anomalous requests for customer information by its employees and service providers.
  2. In response to our preliminary report, Dell agreed to implement all recommendations.
  3. With respect to security safeguards, Dell stated that it had put in place a number of enhancements including improved monitoring and logging capabilities to detect anomalous and atypical behavior of both employees and service providers. It also stated that it had significantly strengthened access controls including the use of two-factor authentication. Fewer employees can access customer information and more information is masked. Dell noted that its new Service Providers implemented a number of enhanced organizational, physical and technical safeguards including disabling all USB functionality, restricting printer access and controlling access to the production floor. Internet and email restrictions are in place such that employees can only send emails within certain domains.
  4. Dell indicated that it has enhanced its Breach Incident Response Plan and Dell’s Privacy Office works closely with the Security team to investigate security incidents. Dell stated it has significantly increased its Security Investigations teams by hiring additional staff and implementing a new enterprise-wide insider risk program. This program includes a number of new procedures, processes and training modules for security investigators.
  5. In the immediate future, Dell indicated that all front line staff, including those at the two new Service Providers, will be provided training on new processes and procedures on identifying and responding to privacy and security incidents reported by customers, including calls where customers allege that a scammer had Dell service-related information. Such incidents must be immediately reported to Dell’s Privacy and Security teams. Dell has also prepared supplemental privacy training videos for outreach purposes to all of its employees.

Conclusion

  1. Accordingly, we conclude that the matter is well-founded and resolved.
Date modified: