Privacy fail. Who do I contact?
March 9, 2016 3:34 PM   Subscribe

A major telecom corporation is allowing people to sign up for service without validating ownership of the contact email address. They ended up handing me the keys to someone else's kingdom. Their fraud prevention contact refused to take any action. This is bad policy. Who do I tell to get some public pressure on them to change?

I'm an early Gmail adopter, which means I get other people's mail from time to time. I expect this. But I don't expect to receive billing info for someone else's account - and I especially don't expect this when the email address was already used (by me) for my OWN account with the same company.

Today I got a notice of service activation from a major telecom. I called them to let them know the contact info was incorrect, and that the billing verification they had sent me gave me a lot of information about their customer (name, address, type of service, type of card used to pay, monthly payments), all of which could have made it pretty easy to maliciously gain access to the account. The rep referred me to their fraud prevention department. The fraud prevention person was extremely unhelpful and downright rude. Rather than thank me for letting them know there was a problem, she insisted that verifying email address ownership was "not something [our company] can or will do". She flatly refused to remove my email address from the other account. She refused to assure me that any action would be taken, or that the person would be contacted to attempt to resolve anything. So, 30 minutes on the phone for no reason.

As I am also a customer of this company, I was really taken aback. I vented on Twitter. One of their corporate accounts replied, stating they wanted to resolve things, and asked for my contact info in a direct message. I complied.

4 hours later, I have not received any response whatsoever. What I did get was 4 additional emails from the company asking me to (1) use my email to create a user ID and password for the other person's account, (2) confirm order details for an additional add-on service, (3) review a list of tracking numbers for equipment that had been shipped, and - ironically - (4) review their privacy policy.

For all services, they use the email to reset user IDs and passwords. The other person cannot access my email. I can, and because the company refused to remove the email, I could quite easily wreak havoc with the account. And given that my email has been on file with the company for YEARS, associated with my OWN account, I cannot believe that it didn't trigger some kind of error when they entered it for a different account, under a different name, in a different state!

I am sick and damn tired of companies that should know better using lazy practices like this. I had to battle Sony for a year to get them to permanently block anyone from using my email on their PlayStation network, because they don't verify. I was handed full access to some guy's Verizon account a year or two back, because they didn't verify (Verizon, at least, took it seriously when I notified them!). I can't be the only person who has this happen. I can't be the only person who feels like their own privacy is an afterthought. But who do I contact to make these stories more visible? It seems that public shaming is the only weapon we have as consumers.
posted by caution live frogs to Grab Bag (20 answers total) 9 users marked this as a favorite
Contact your state attorney general's office. You also could ask them which federal agency to contact (not immediately sure if it is FTC or FCC)
posted by marguerite at 4:39 PM on March 9, 2016 [5 favorites]

Don't worry, it'll get sorted once their service gets cut off because they did not pay their bill that they did not receive.
posted by kindall at 5:01 PM on March 9, 2016

Create the login, and use it only once to cancel the service. Change the password to something that you can't know or possibly remember. Walk away and ignore further e-mails. I've had to do that several times.
posted by scruss at 5:55 PM on March 9, 2016 [6 favorites]

Best answer: But who do I contact to make these stories more visible?

Perhaps The Haggler, aka David Segal, at the New York Times?
posted by invisible ink at 5:57 PM on March 9, 2016

Give them a day to get back to you; they'll want to respond during business hours, at least if they intend to do more than cover their asses on Twitter.

Otherwise, release the hounds!

I do what scruss does, as well. I get signed up to various things (dating sites, a porn site, an engineering course) in India, UK, and all over North America, because I too have a simple gmail username. As you battle Sony, I fight with Facebook.
posted by Sunburnt at 6:06 PM on March 9, 2016 [1 favorite]

Have you tried their Facebook page? I got my health insurance company to bend over backwards to make things right with me after I shamed them on their Facebook page for what appeared to be a major data breach with my account. It caught the attention of way more people than my attempt on Twitter.
posted by Hermione Granger at 6:15 PM on March 9, 2016

Best answer: Lately, when this happens to my email account, I change the other person's account email address to that of the CEO of the offending company. No idea what happens after that but at least I'm not a part of it anymore.
posted by jamaro at 7:34 PM on March 9, 2016 [29 favorites]

I do not think that you will get them to change their policy. However, I do think it possible for them to eventually just take your email off the other person's account. This actually could be fraudulent with someone else setting up an account in the name of the person who is on the billing info. For that reason, if I did not get satisfaction tomorrow, I would cancel the account. Let them start over.

I agree with you that the bigger concern is the fact that if they let another person open an account with an email address already registered on their system without some sort of double check, they have a severe security hole that makes your own information vulnerable. If you have a credit card on file with them, delete it or get a new card number. If your security questions are the same as ones used on other sites, change the answers to something else.

(I do like jamaro's routine of changing the email address on the incorrect account to the CEO of the offending company. If that does not raise red flags, I do not know what will.)
posted by AugustWest at 8:02 PM on March 9, 2016

Have you tweeted at any local journalists yet?
posted by klangklangston at 9:50 PM on March 9, 2016 [2 favorites]

The Daily Dot might like this. I know reporters there.
posted by Mistress at 1:48 AM on March 10, 2016 [1 favorite]

Contact your local newspaper.
posted by Flood at 3:58 AM on March 10, 2016

The person who signed up for this account is the one who made the initial mistake, not the company. Multiple accounts can have the same billing contact information; that is not unheard of. The company may be contacting them right now, but they are not able to tell you that since you are not an authorized user on the account and there is no way for them to confirm that you and you alone own that email address.
posted by soelo at 7:25 AM on March 10, 2016

However, I do think it possible for them to eventually just take your email off the other person's account.
I dunno, I've tried 4 times to have American Express remove my email address from the account of someone else with my name. Each time they tell me that they've done it, but I still get his bill notifications. At least the OP already has an account with the offending company; I have to jump through a bunch of hoops every time I try since they don't seem to be able to handle the concept of someone without an account needing to talk to customer service.
posted by dfan at 8:27 AM on March 10, 2016

I also get alot of misdirected email at my gmail account and honestly, I don't give a fuck. I've gotten pay stubs, tax returns, shopping information, and many random sign up emails. These days I'm getting some lady's notifications.

I used to do a lot more to correct such things. When someone used my gmail account to buy a plane ticket in Canada and I was able to log into their account and potentially cancel their flight, I used Twitter to embarrass notify the airline.

Now I look them over once in awhile to see if there's any that I really need to act on for my own sake, but pretty much, if someone doesn't know their own damned email address I am not going to do anything to help them. If their info gets stolen, well, I'm sorry but I had nothing to do with it. I know that might sound callous, but it's about the same level in my mind as getting a wedding invitation addressed to the previous tenants of your apartment who never forwarded their mail. I mean, I'm sorry if they miss their friend's wedding, but that's their problem, not mine.
posted by cabingirl at 10:50 AM on March 10, 2016

Response by poster: 24 hours later, no response. They have quite literally handed me enough info that I could wreck this other person's life. I could call, pose as a telecom co. rep, state there was a problem with the order, citing the order info (including the UPS tracking numbers and type of items shipped!), and ask the person to verify their credit card number (they included the card type in the info!!). The ONLY REASON nothing bad will come of this for the person who placed the order is that I am not an asshole. If I were an asshole, I'd have their credit card number right now and be shopping for that new iPad I've been looking at.

I understand that I will get mail intended for other people. It happens. Usually, it happens for innocuous things - free forums, mailing lists, etc. - I usually unsubscribe or log in and change the email. But when money is involved, or personal information, I do my best to make it right. 9 times out of 10 the people or company involved are happy that I took the time to do so. Not this time. Right now, I am pissed that a company I have been doing business with for over a decade is not taking this seriously. I'd like to bring the story to someone who will look at it and ask why we let these shoddy practices continue. There are multiple turnkey systems that will email a validation link or code to an address to verify ownership. A major telecom has no excuse for not implementing that basic step for protection of customer information.
posted by caution live frogs at 11:34 AM on March 10, 2016

The ONLY REASON nothing bad will come of this for the person who placed the order is that I am not an asshole. I

Except, for all you know, this ended up in your inbox because this already involves identity theft.

I am not entirely sure what the correct or best thing to do is, but you are assuming this is a totally valid account that somehow weirdly got the wrong email address. And you really don't know that.

So, I am kind of leaning towards "Cancel the entire account because you have the means to do that and you really have no idea who set it up and the company is being completely uncooperative. So, it is the only way to be sure that you aren't an inadvertent accessory to fraud."
posted by Michele in California at 11:49 AM on March 10, 2016 [1 favorite]

Best answer: Consumerist would be very interested in this.
posted by radioamy at 12:03 PM on March 10, 2016

And, I guess, you could also contact the police and file a police report after closing the account. Print off all emails and write up the order of events.

Cybercrimes are a very hard problem to solve, in part because it is so hard to even see them. You might find this FBI testimony Before the House Committee on the Judiciary, Subcommittee on Crime June 12, 2001 an interesting read.

And then if you do contact the media, you can add that you cancelled the account and filed a police report, just in case this is identity theft, because you are very concerned about the security of your own account and the company was so uncooperative. It just seemed like the safest path forward and you hope it makes a difference of some sort.

I am not sure if you are just asking specifically "in this instance" who do you contact, or if you intend that more broadly. If you intend it more broadly:
For health related info, HIPAA applies. That doesn't seem to apply in this instance. For financial institutions, including banks and insurance companies, Gramm-Leach-Bliley applies. I don't know who to contact to report suspect privacy violations under those acts. If it is insurance related -- which this is not -- you can always call the insurance commissioner in your state.
posted by Michele in California at 12:24 PM on March 10, 2016

Response by poster: For those wondering re: identity theft - anyone with a simple firstname.lastname@gmail is used to this thing. My wife gets email from folks trying to contact a wedding photographer in the UK, I get email intended for a few regulars (like the prison work-release parolee in NJ, the guy in FL who shops at Aldo Shoes, and a new one in CA who signed up for yoga...). But it isn't identity theft. My account is locked down (strong password, 2-factor authentication, notifications to a backup account when an unrecognized device logs in). It's just some other person typing the wrong email address, coupled with corporate policies that don't institute a validation check prior to using the address. For a newsletter, not a big deal. For sending account credentials, this is an issue.

I'm waiting to see if the telecom company responds... so far, 48 hours in, they haven't. The Haggler responded, quite quickly. No idea if he is interested in the story or not, but he did ask for details at least.

What I DID do was ensure I would be receiving LESS info re: this other account. I can't cancel the service, and I'm not enough of a prick to reschedule the installation (guy who ordered service shouldn't suffer from this, should he?). But I DID set up the online profile, just so that I could change the contact info for SOME of the services. Used the email address for the telecom's high level corporate relations contact as the new account address, and ensured that the opt in to EVERY email alert was turned on. I think my frustration with this is moving into the passive-aggressive stage now.
posted by caution live frogs at 12:10 PM on March 11, 2016 [1 favorite]

Response by poster: ...and to wrap this up, Consumerist took it seriously. Thanks for the suggestion! A telecom rep contacted them pretty much immediately to see if they could help.
posted by caution live frogs at 10:25 AM on March 24, 2016 [1 favorite]

« Older I guess it's called "lifelogging" now...   |   Affirmative, Enthusiastic, Mutual Consent: The... Newer »
This thread is closed to new comments.