Company’s employees bypassed authentication protocols allowing fraudsters to repeatedly access customer’s account
PIPEDA Findings #2021-004
March 30, 2021
Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)
Description
An individual complained to our Office that Fido had failed to safeguard his personal information from unauthorized access, which had allowed fraudsters to access and change the personal information on his account. He also alleged that Fido had responded to his access request by providing the information he had requested in a format that was not generally understandable.
Takeaways
- Organizations must ensure that they have adequate safeguards in place to protect the personal information of their customers from unauthorized access and use.
- Impersonators can take advantage of employees’ failure to follow authentication protocols to gain unauthorized access to accounts.
- Organizations should therefore ensure that:
- Account authentication protocols and protocols for flagging accounts at heightened risk of fraud are easily accessible to staff, clear and easy to follow;
- Regular refresher training is provided to managers and staff, including to remind them that there are significant consequences for, and damages that can arise from, failure to properly authenticate accounts;
- Proactive feedback systems are in place to follow up on, and remediate, instances of staff non-compliance with authentication protocols.
- Organizations may choose to provide access to recordings of phone calls rather than provide transcripts of those calls; however, organizations that choose to respond to access requests in this manner must ensure that access is provided in a format that is generally understandable.
Report of findings
Overview
The Complainant in this case alleged that Fido Solutions Inc. (“Fido”), a subsidiary of Rogers Communications Inc. (“Rogers”), failed to safeguard his personal information from unauthorized access. Over several days in January 2019, fraudsters accessed and changed personal information on the Complainant’s account, even after he had added a security PIN and secret questions to the account. The Complainant also raised concerns with regard to the response he received when he sought access to transcripts of the calls between the fraudsters and Fido customer service representatives (“CSRs”).
Our Office reviewed recordings of the phone calls where different individuals called Fido purporting to be the Complainant and were granted access to the Complainant’s account. We learned that, in each call, the fraudsters gained such access even though they had failed to be authenticated using Fido’s various authentication protocols. We considered the multiple authentication failures by different CSRs to be indicative of a systemic safeguards issue, and we therefore made certain recommendations to bring the organization into compliance with PIPEDA. In response, Fido committed to, by 30 November 2021, implement numerous measures to better ensure that authentication protocols are understood and followed by staff. We therefore find this aspect of the complaint to be well-founded and conditionally resolved.
With regard to Fido’s response to the Complainant’s access request, we accepted that Fido could provide the Complainant with access to the call recordings, rather than to transcripts of the calls. The Complainant alleged certain information to be missing from the recordings. We confirmed that the limited information redacted from the original calls was not the personal information of the Complainant. However, we found that the edited versions of the call recordings, to which the Complainant was provided access, were of poor quality. Considering that the Complainant was unable to pause, rewind or replay the recordings, which he had to listen to on a laptop in an open Fido retail location, we are of the view that Fido failed to provide access in a format that was generally understandable. We shared our concerns with Fido. Fido reconsidered its position and issued transcripts of the calls at issue, which the Complainant received on 22 March 2021. We therefore find this aspect of the complaint to be well-founded and resolved.
Complaint and background
- The Complainant alleges that Fido contravened the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”) by: (i) failing to safeguard the personal information held in his account from unauthorized access; and (ii) failing to provide transcripts of calls in response to his access to personal information request.
- Rogers is one of Canada’s largest wireless service providers. Fido is a Rogers’ subsidiary that provides, among other things, wireless services. In this investigation, Rogers responded to our requests for information on behalf of Fido.
- The Complainant was a customer of Fido. Between 4 and 10 January 2019, fraudulent activity occurred on his account. He became aware of the situation on 8 January 2019, when he received a call from a Fido customer service representative (“CSR”) who indicated that she was calling him back to continue their conversation and complete a “transaction” after their call had been disconnected. Both quickly came to realize that the individual the CSR had previously spoken with had been impersonating the Complainant. It was later determined that this was the third time a fraudster had called Fido purporting to be the Complainant. The next day, the Complainant added a security PIN and secret questions to his account. Despite these additional authentication measures, the fraudsters were still able to access the Complainant’s account at least one additional time.
- Ultimately, over the several days where fraudulent activity was ongoing, the same or other fraudsters called Rogers on five occasions and were, each time, able to access the Complainant’s account. In doing so, the fraudsters accessed the Complainant’s personal information, including his name, date of birth, postal code, account number and email address.
- The Complainant contacted Fido regarding his concerns about the unauthorized access to his account. He also made an access request to Fido to obtain transcripts of the calls between Fido CSRs and the fraudsters. In response, Fido acknowledged that certain of his personal information had been inappropriately disclosed, but refused to provide him with either transcripts of the phone calls or copies of the audio recordings, citing concerns over the fraudsters’ privacy. The Complainant alleged that while Fido offered him an opportunity to listen to the phone calls at a retail store location, he was initially told that he would not be permitted to listen to the recordings in a designated quiet space, be seated, take detailed notes or adjust the volume while listening to the recordings. The Complainant indicated that he was ultimately permitted to sit and take minimal handwritten notes, but was not able to pause or rewind the recordings or adjust the volume.
- The Complainant was dissatisfied with the response he received from Fido and filed the present complaint with our Office.
Analysis
Issue 1: Whether Fido adequately safeguarded the Complainant’s personal information
- We found that Fido failed to adequately safeguard the Complainants personal information. CSRs repeatedly failed to follow authentication protocols, and then failed to put an alert on the Complainant’s account upon initially learning of fraudulent activity, ultimately resulting in the unauthorized disclosure of the Complainant’s personal information.
- Principle 4.7 provides that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 further requires that the safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
- The Complainant alleges that Fido failed to protect his personal information, which resulted in Fido CSRs providing fraudsters with his personal information. The Complainant is of the opinion that whether or not Fido has security protocols, its CSRs are highly incentivized to prioritize sales and profits over the protection of customer personal information, and that Fido lacks adequate safeguards to prevent unauthorized access to customer accounts.
- Our Office’s Guidelines for Identification and AuthenticationFootnote 1 provide that “[t]he stringency of authentication processes should be commensurate with the risks to the organization as well as to the individual.”
- Fido explained to our Office that it has protocols for CSRs to follow when authenticating a caller. Pursuant to these protocols:
- CSRs are expected to greet customers, identify the issue that the individual is calling about, and authenticate the caller using a combination of the account holder’s date of birth and postal code.
- If a customer has a PIN or Voice ID set up on their account as an additional authentication measure, the CSR is expected to authenticate the account using that particular authentication method.
- If the caller does not provide the correct PIN or the Voice ID authentication fails, the CSR is expected to authenticate the caller using “out of box” questions, such as asking for the amount of the last bill, the names of other authorized individuals on the account, or the last four digits of the account holder’s government-issued ID.
- If the caller fails to answer correctly three “out of box” questions, the CSR is required to instruct the caller to present himself or herself to a retail store to authenticate the account using government-issued ID.
- Fido provided our Office with recordings of the five phone calls between its CSRs and the fraudsters. Based on our review of the calls, we find that in all instances, the various Fido authentication protocols described above were bypassed by the CSRs.
- For instance, during the first phone call, the fraudster provided the Complainant’s phone number, but the wrong name. The CSR on this call responded to the fraudster by disclosing the Complainant’s name. Over the course of the call, the CSR then supplied the fraudster with additional information including the Complainant’s account number, date of birth, address, and the number of phone lines associated with the account. We note that, pursuant to Fido’s authentication protocol, the information disclosed during this first call is information that would typically be used to authenticate a caller. In fact, the information the CSR supplied the fraudster during the first call is precisely what fraudsters used to continue to gain access to the Complainant’s account in subsequent phone calls to Fido.
- In the second phone call, a fraudster failed to be authenticated using Voice ID, and the CSR nevertheless granted the individual access to the Complainant’s account, using date of birth and postal code.
- On the fifth and last call we reviewed, the fraudster provided the wrong PIN twice and incorrectly answered the “out of box” questions twice, despite the CSR providing the fraudster with multiple hints. In this last example, the CSR also provided the fraudster access to the account, and the fraudster then proceeded to change both the email address and the PIN on the account.
- Fido indicated to our Office that a “flash alert” was placed on the Complainant’s account following this last phone call, as an account takeover event had been identified. The “flash alert” stressed to CSRs the need to adhere to Account Access Policy. Considering Fido knew of fraudulent activity on the Complainant’s account since the third call (i.e., when a CSR contacted the Complainant), Fido implemented this measure, which could have alerted CSRs of heightened risk and thus prevented further unauthorized access to the Complainant’s personal information, too late.
- In our view, the multiple authentication failures identified in this case are indicative of a systemic safeguards issue. Despite Fido having established and implemented protocols that require employees to authenticate callers using multiple authentication methods, the protocols were bypassed by each CSR that dealt with the Complainant’s account during this period. As described in our Office’s Guidelines, for authentication measures to be effective, employees must be aware of and adhere to policies established to prevent individuals from gaining unauthorized access to customer personal information. In our view, it is important for organizations to implement measures to ensure the processes they have in place are followed, particularly where employees may have motives (for instance, achievement of sales targets) tempting them to bypass certain protocols. For the above reasons, we find Fido to be in contravention of Principle 4.7.
Recommendations and Fido’s response
- We therefore recommended that Fido enhance its safeguards to ensure authentication protocols are understood and followed by staff, and are effective. More specifically, we recommended that Fido:
- Consolidate existing documented authentication protocols to be implemented by Fido staff, including: (i) standard authentication protocols; (ii) protocols for identifying when an account is subject to heightened risk of attempts at unauthorized access; and (ii) augmented protocols in the event of such heightened risk.
- Provide regular refresher training on established authentication protocols, including reminders to employees that: (i) there are significant consequences for, and damages that can arise from, failure to properly authenticate; (ii) the organization takes steps to monitor and ensure proper authentication protocols are followed; and (iii) consequences will be enforced. Communications to employees could include just-in-time system communications when an employee is about to bypass protocols.
- Provide refresher training for managers and staff about the consequences that may result when an employee has not followed these protocols (e.g., coaching, progressive discipline up to and including potential termination).
- Implement proactive feedback related to non-compliance with authentication protocols, using identified internal customer complaint, and fraud management tools to complement existing monitoring of employee compliance with all authentication protocols.
- Fido committed to implementing these recommendations by 30 November 2021, noting its intent to implement these not only at Fido, but in all call centres across Rogers’ brands. Fido also committed to providing our Office with documentation confirming the implementation of each of the recommendations.
Issue 2: Whether Fido responded to the Complainant’s access request
- We determined that Fido could redact certain information from recordings to which it provided the Complainant access, as it was not his personal information, and we found no evidence to suggest that Rogers withheld any other portions of the relevant calls. We also accepted that Fido could provide access by allowing the Complainant to listen to call recordings. However, we found that Fido did not provide such access in a form that was generally understandable, due to poor recording quality and listening conditions.
- Principle 4.9 of Schedule 1 of the Act states that, upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and be given access to that information.
- The Complainant alleged that portions of the calls to which he was provided access were missing because they totaled much less than the 2.5 hours he had initially been told existed.
- We compared the original call recordings to the shorter edited versions to which the Complainant had been granted access. We note that the original calls were not 2.5 hours long, but rather, approximately 1 hour and 27 minutes. We note that, in response to his concerns about the length of the recordings, Fido had advised the Complainant that it may have initially overestimated the length of the calls. We have no evidence to suggest that the original recordings were incomplete.
- The edited versions were approximately 1 hour and 24 minutes long. We confirmed that the information redacted (approximately three minutes, over the five recordings) was information, provided by the fraudster, that was not the personal information of the Complainant.
- The Complainant further alleged that Fido impeded his right of access by refusing to provide a transcript of the call recordings. He alleged that the recordings to which he was granted access were of poor sound quality, which made it difficult for him to understand the information, particularly given the listening restrictions imposed by Fido, as described in paragraph 5 above.
- Our Office’s Interpretation Bulletin: Access to Personal Information notes that “PIPEDA does not guarantee that individuals can access their personal information in a particular form (i.e. audio recordings versus transcripts) nor that copies of the information have to be provided in all cases—PIPEDA specifies only that access be given to the requester.” In our view, Fido was not required to provide access in the form of transcripts, and could potentially satisfy the requirement to provide access by allowing a requestor to attend its premises and listen to audio recordings.
- However, pursuant to Principle 4.9.4, Fido was required to provide access in a form that was generally understandable. In our view, it did not do so in this case.
- The Complainant was allowed to listen to the recordings on a locked laptop, in an open concept Fido retail location. The Complainant noted that he was unable to pause, rewind or replay the recordings. Fido submitted that he could adjust the volume, while the Complainant claimed he could not do so. The Complainant was able to take limited handwritten notes.
- In reviewing the audio recordings, we observed that the edited versions were of worse sound quality than the originals, such that we had to replay many of the recordings multiple times in order to understand the information.
- Considering the Complainant had to listen to those recordings in a retail store, without the ability to pause, rewind or replay the recordings, we are of the view that the format in which access was provided in this case was not generally understandable. As such, we found Fido to be in contravention of Principles 4.9 and 4.9.4.
- In the course of our investigation, we shared with Fido our concerns with regard to the poor sound quality of the recordings provided to the Complainant. Fido reconsidered its position and issued transcripts of the calls at issue, which the Complainant received on 22 March 2021.
Conclusion
- With respect to the issue of safeguards, noting that Fido has committed to implementing our recommendations by 30 November 2021, our Office finds this aspect of the complaint to be well-founded and conditionally resolved.
- With respect to access, noting that Fido has provided a transcript of the calls in question to the Complainant, our Office finds this aspect complaint to be well-founded and resolved.
- Date modified: