PIPEDA Case Summary #372Disclosures to data brokers expose weaknesses in telecoms’ safeguards[Principles 4.3, 4.7, 4.7.1; section 2] The November 21, 2005, edition of Maclean’s magazine contained an account of how the magazine obtained records of telephone calls made by the Privacy Commissioner of Canada, Ms. Jennifer Stoddart, from her home telephone and Office BlackBerry numbers, as well as the cell phone records of an unnamed Maclean’s senior editor. The records in question were purchased by the reporter from Locatecell.com, a U.S. data broker, which had, in turn, obtained them from Canadian telecommunications companies, Bell, TELUS Mobility, and Fido. Concerned about how these disclosures could happen, the Assistant Privacy Commissioner initiated complaints against the Canadian companies.1 The investigations revealed that Locatecell.com had used “social engineering” to successfully circumvent the customer authentication procedures of Bell and TELUS Mobility. Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. Pretexting is one such technique and is the act of creating and using an invented scenario to obtain information from a target, usually over the telephone. In the cases at hand, there was no evidence that anyone had hacked into the companies’ systems or that the disclosures were made by rogue employees. It was established that employees in all three organizations did not follow customer authentication procedures and thereby failed to adequately protect customer personal information. The Assistant Commissioner concluded that neither the companies’ authentication procedures nor the training of their Customer Service Representatives (CSRs) was sufficiently comprehensive to protect their customers’ personal information or to meet the requirements of the Act. The Office was disappointed that these organizations were not better prepared. Social engineering is a known threat to the confidentiality of customer personal information, and the specific issue of data brokers obtaining call records had arisen in the United States the summer before the events described in these complaints. The Assistant Commissioner was therefore particularly troubled that not enough had been done to alert employees to such threats and thereby prevent the disclosure of customer personal information. Nevertheless, the Assistant Commissioner was pleased that all three companies revised their customer authentication procedures shortly after the disclosures took place. Although the companies had introduced important changes, the Assistant Commissioner was of the view that they could take further steps to address the weaknesses in their policies and procedures with respect to unauthorized individuals gaining access to customer personal information. He recommended further changes to CSR training and to procedures on disclosing personal information and authentication in order to mitigate the threat of access to personal information by unauthorized persons. The companies implemented all of the measures except one, for which they proposed other actions that were found acceptable by the Assistant Commissioner. As a result, the Assistant Commissioner found that the complaints against all three companies were well-founded, but have since been resolved given the corrective actions taken by the organizations. The following is additional information on the investigations and the Assistant Commissioner’s deliberations, specific to each company. Summary of Investigation #1 – Bell CanadaThe Maclean’s reporter was able to obtain details of telephone calls on Ms. Stoddart’s two Bell Canada accounts, which he stated he had obtained from Locatecell.com. Ms. Stoddart did not have knowledge of, nor did she give consent to, this disclosure of her telephone call details by Bell. After learning of the matter, Bell conducted a review of its systems and concluded that they had not been technically hacked into. There was also no evidence of suspicious internal activity involving any employee. After further testing, it was determined that customer personal information was obtained through a process known as “social engineering.” By analyzing Bell’s automated voice system logs, the company determined that on November 2, 2005, a number of calls from the United States were made to a number of specific Bell Customer Service lines. Most of the calls were handled by the automated voice system. Attempts had been made to access the self-service applications on the system, but these were unsuccessful because the caller was not able to get through the validation process. In two of the calls, the caller was redirected to a CSR. Bell Canada identified the CSRs who handled the calls. One of them no longer works for Bell and could not be reached. The other CSR stated that she did not remember the call given the volume of calls she handles every day, many concerning billing inquiries. When the Locatecell.com records were compared to Bell’s billing records, they did not reflect the original request and contained numerous discrepancies, which were consistent with numbers being disclosed verbally while someone is trying to simultaneously type them on a keyboard. No copies of any Bell bills were disclosed by Bell to Locatecell.com. Rather, the call detail information was provided verbally by the CSR over the telephone. In order to determine how Locatecell.com was able to obtain the call records, Bell submitted a request for information via the Locatecell.com site. Two calls were placed from the same US locations as the earlier calls. Locatecell.com responded to the test request on the same day, providing the information that had been requested. Bell identified the CSRs who handled these calls from Locatecell.com. In both cases, the caller used pretexting techniques and the CSRs failed to authenticate the caller before divulging call record details. Further testing was done by Bell. The data broker again relied on pretexting to obtain call record information. In one instance, he was successful, but not in the other. The Office reviewed the company’s validation procedures in place at the time of the incident, subsequent test calls, as well as the corrective action taken. Following the incident and subsequent testing, Bell promptly amended its validation procedures to further protect against the use of pretexting to gain unauthorized access to customer information and issued reminders and provided additional training to CSRs on the importance of customer confidentiality and compliance with its validation procedures. Bell further amended these procedures a few months later, taking into account negative customer feedback about the amount of information they had to provide during the validation process. Customers for some time have had the option of establishing a password on their account. If there is a password on an account, the customer has to provide it in order to be validated. CSRs are further instructed to offer the password service to customers with various concerns, including privacy concerns. CSRs receive training on authenticating customers as part of their initial employee training. They have easy access to all of the company’s practices and receive information on all new procedures. CSRs were given face-to-face training on the new customer validation procedures, and coaching of CSRs is ongoing. We spoke to the CSRs who were involved in the test calls, as well as the one who disclosed Ms. Stoddart’s call records. All acknowledged having received training on customer validation during their initial employee training. They claimed that they received no subsequent customer validation training until the new procedures were implemented in late 2005. On the subject of confidentiality of customer information, two were familiar with this concept and acknowledged having received training on privacy and ethics. The other two CSRs were not familiar with it and claimed that they had not received training on privacy and ethics. With regard to confidentiality of customer information, employees are required to sign off annually on the company’s code of conduct, which includes a section on customer privacy. Employees are given an array of documents, which we reviewed, concerning the company’s privacy policy and specifically the confidentiality of customer records. On November 14, 2005, Bell issued a press release that reinforced the importance of protecting customer information. Bell pointed out that subterfuge and misrepresentation had been used, and that the companies and customers involved were victims of fraud. The release stated that Bell had tightened its safeguards, recognizing that this would cause some inconvenience to customers legitimately requesting their personal information. It also noted that the company was continuing its efforts to investigate whether there was any legal action that would stop the fraudulent practices. This case triggered the following sections of the Personal Information Protection and Electronic Documents Act (the Act): Principle 4.3, which states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. In making his determinations with regard to Bell, the Assistant Commissioner deliberated as follows:
Summary of Investigation #2 – TELUS MobilityThe reporter also obtained a record of cell phone calls on a TELUS Mobility account from Locatecell.com. The call records in question were initially assumed to be associated with Ms. Stoddart’s Office-issued BlackBerry number, but were later determined to be associated with an Office staff member’s Office BlackBerry number. TELUS Mobility was able to determine which client care representative (CCR) disclosed the information. Pretexting was again used by the data broker. The CCR in this case was a relatively new employee, and in an attempt to be helpful, disclosed call record information and did not properly authenticate the caller according to established procedures. Attempts were made by the caller to access the account information via TELUS Mobility’s Integrated Voice Recognition system, but were unsuccessful as the caller was unable to thwart the validation process. As for why the Office employee’s call records were disclosed instead of Ms. Stoddart’s, which were requested, it was surmised that since the employee’s BlackBerry number appears on the same corporate account as Ms. Stoddart’s BlackBerry number, the CCR may have inadvertently accessed the account information associated with the employee instead of account information associated with Ms. Stoddart, as requested by the caller. The caller asked to review three bills—August, September and October. He asked for the date and number of each call, and how many times in a day the same number appeared. Once the CCR had given him the calls for the September and October billing period, he said that was enough and the call ended. About a week after the call, during a regular meeting with her manager, the CCR mentioned the call as it had raised her suspicions. The employee was coached on what steps she should take in the future when confronted with a suspicious call. According to TELUS Mobility, on average, it processes several million incoming customer calls per year, and prior to this incident it had not had any reports of similar incidents. We compared the actual invoice information for the Office employee’s number with the calls that Locatecell.com provided to Maclean’s in response to its request for Ms. Stoddart’s information. We noted errors and omissions, which appeared to be consistent with information being provided verbally at a fairly rapid pace. Ms. Stoddart’s and the Office employee’s BlackBerrys are part of the Office’s corporate account. At the time of the disclosure, there was no PIN on the account. TELUS Mobility has specific validation procedures for a call handled by a CCR concerning a corporate account without a PIN. CCRs receive training on authentication procedures as part of their initial employee training. CCRs can access the procedures at any time. TELUS Mobility also sends periodic reminders to CCRs on authentication. TELUS Mobility provided documentation to the Office regarding the evaluation of CCRs, postings on verification procedures, and other training materials which include information on social engineering. CCRs are also required to complete learning programs that make reference to the protection of customer information. Two of these courses must be completed annually. TELUS Mobility took a number of steps to address the issue, including providing information to employees on social engineering and stressing the importance of following established procedures. Further amendments to these procedures may be made. In order to determine the methods used by Locatecell.com and other information brokers, TELUS Mobility conducted tests of their services. Only one of TELUS Mobility’s e-mail requests to the data brokers was acknowledged, but no records were forwarded to it by any of the brokers. In this specific case, the following sections of the Act were relevant: Section 2 defines personal information as information about an identifiable individual. Principle 4.3, which states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
In making his determinations with regard to TELUS, the Assistant Commissioner deliberated as follows:
Summary of Investigation #3 – FidoThe November 21, 2005, edition of Maclean’s magazine also contains an account of how the magazine obtained the Fido cell phone records of an unnamed Maclean’s senior editor from Locatecell.com. The reporter, however, would not disclose the editor’s name to either Fido or our Office. Fido was therefore unable to provide any specific details about the alleged disclosure. Fido, like Bell and TELUS Mobility, tested Locatecell.com’s services in order to determine whether the data broker could obtain customer call detail information as the Maclean’s article claimed. It submitted a request and Locatecell.com provided Fido with the requested call details. To find out how Locatecell.com obtained the information, the company tracked all CSR activity on specific customer accounts in order to view the CSR notes and actions. Fido then made two purchases from Locatecell.com on the monitored accounts. In one case, Locatecell.com was able to obtain call details. Fido determined that the information was not disclosed by a dishonest employee nor was the disclosure the result of any hacking into its systems; rather the broker, as in the Bell and TELUS cases, relied on pretexting to obtain the records. This case raised the following provisions of the Act: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. The specific allegation in Maclean’s that an editor’s Fido call records were disclosed without knowledge or consent could not be substantiated. However, Fido conducted additional tests and found that Locatecell.com was able to obtain customer information from the company’s CSRs through pretexting. The CSRs disclosed the information without verifying the identity of the caller, contrary to Principle 4.3. The Assistant Commissioner was concerned that these tests showed that not all Fido CSRs were abiding by customer authentication policies and procedures, contrary to Principles 4.7 and 4.7.1. Fido provided the Office with a comparison chart of its pre- and post-incident customer validation procedures for both Fido and Rogers Wireless (Fido is a subsidiary of Rogers Wireless Inc.). Customer validation is mandatory by all CSRs, and the CSR disclosing information is responsible for validating the customer. As a result of the incident, Fido/Rogers took steps to eliminate the ability to obtain call records through its automated system, and increased the identification required when speaking to a CSR. All CSRs received information, which they were required to sign, on the company’s new measures. Additional measures were instituted to ensure that new CSRs know customer validation procedures. Information was also sent to all employees regarding attempts to illegally obtain customer information, and to prohibit the faxing of call details. Retail outlets were further instructed on validation. The company also conducted a review of its validation procedures. CSRs receive training on confidentiality of customer information, including customer validation, as part of their new employee training. Information on customer validation can be easily accessed by CSRs at any time. Fido also provided documentation on confidentiality policies to which employees must adhere. Recommended actions for Bell, TELUS Mobility and FidoWhile acknowledging the measures the companies had already taken, the Assistant Commissioner believed that they could take further steps to address the weaknesses in their policies and procedures for mitigating the threat of unauthorized individuals gaining access to customer personal information. It was therefore recommended that Bell, TELUS Mobility and Fido each undertake a number of specific actions to strengthen customer service representative training, limit personal information disclosures and improve authentication procedures. The companies responded that they would implement his recommendations, with one exception. However, for this exception, they proposed other measures that the Assistant Commissioner found acceptable. Accordingly, the Assistant Commissioner concluded that all three complaints were well-founded and resolved. The Assistant Commissioner provided the companies with a copy of our Guidelines for Identification and Authentication, and highlighted for their consideration sections concerning authentication factors and audit. The Assistant Commissioner acknowledged that customers may object to some of the changes implemented by the companies. He noted, however, the role that the individual plays in the protection of her or his personal information by questioning and avoiding the use of weak authentication processes, by choosing strong authenticators (for example, passwords and PINs that are random and difficult to guess), and by responsibly and continuously safeguarding their identifiers and authenticators. Organizations can ease the situation by providing customers with general information on the importance of authentication. Update on data brokersThe situation in the United States regarding data brokers such as Locatecell.com has changed in the last few months, with draft legislation being introduced, at both the state and federal levels, to make it an offence to use pretexting techniques to obtain, sell, or solicit others to obtain phone records. Some of this legislation has been passed into law. Moreover, several lawsuits have been filed against Locatecell.com by various organizations, including telephone companies. Bell obtained an injunction against Locatecell.com, its principals and several related companies, prohibiting them from attempting to obtain customer information. TELUS Mobility had also engaged US legal counsel to initiate action against the operators of Locatecell.com, but later dropped this course of action when it became apparent that Locatecell.com had ceased business operations. Indeed, US information broker activities have been stopped in many cases or minimized. Many of the broker websites are unavailable, and the site for Locatecell.com has been inoperative for some time. Nevertheless, this does not necessarily mean that the threat to the confidentiality of personal information has vanished or that databrokers have disappeared from the U.S. or other countries (particularly those that do not have similar pretexting laws). In Canada, a private member’s bill, Bill C-299 was introduced in the House of Commons on May 17, 2006. The purpose of the bill as originally drafted was to protect individuals against the collection of their personal information through fraud and impersonation (pretexting). To date, the bill in its original form has not been passed into law. As noted in our Guidelines, threats to personal information are constantly changing and emerging. Organizations must adapt their policies and practices to manage these new risks and protect the personal information in their care.1 Initially, the Assistant Commissioner also opened a complaint against Locatecell.com. However, preliminary results of our inquiries revealed that the Office lacked jurisdiction to continue the investigation. |
Date published: 2007-07-10 |
Important Notices |