You may recall some time ago when pretexting made the headlines in Canada after a MacLean's reporter purchased the Privacy Commissioner's phone records (Canadian Privacy Law Blog: That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net). Today the Commissioner released a finding into the incident, accompanied by a big media release:
Data broker exploits human error, weak safeguards to access phone recordsJuly 10, 2007
PIPEDA Case summary #372: Disclosures to data brokers expose weaknesses in telecoms’ safeguards
Here's the release:
Data broker exploits human error, weak safeguards to access phone recordsOTTAWA, July 10 /CNW Telbec/ - Recent experience has shown Canadian
companies must take precautions to ensure personal information and customer
data is not vulnerable to data thieves and pretexters. Strong identification
and authentication procedures are essential in blocking unauthorized attempts
to access the personal information of Canadians.An investigation by the Office of the Privacy Commissioner of Canada
(OPC) has found that human error and weaknesses in the policies and procedures
of three telecommunications companies allowed a data broker to gain
unauthorized access to personal phone records.The investigation was prompted by an article in Maclean's alleging the
magazine had been able to purchase the telephone records of Privacy
Commissioner Jennifer Stoddart and a senior Maclean's editor from US-based
data broker Locatecell.com.The investigation found that Locatecell.com used "social engineering" to
trick phone company customer service representatives into divulging
confidential information, either in the specific instances alleged and/or
subsequent test cases. Social engineering involves manipulating people into
divulging personal information, for example, by pretexting, or pretending to
be someone authorized to obtain the information.The OPC looked at improper disclosures of personal information to
pretexters seeking to gain unauthorized access to phone records of individuals
without their knowledge or consent. The three companies investigated were Bell
Canada, Telus Mobility and Fido."In each case, we found that customer service representatives had not
followed the companies' established authentication procedures. We also found
that training of customer service representatives was not comprehensive enough
to protect customers' personal information from illegal access by pretexters,"
says Assistant Commissioner Raymond D'Aoust. "As a result, the three companies
failed to meet the requirements of the Protection of Personal Information and
Electronic Documents Act (PIPEDA)."All three companies revised their customer authentication procedures
shortly after the disclosures took place. The OPC reviewed those changes and
recommended further steps to address weaknesses in their policies and
procedures to prevent unauthorized individuals from gaining access to
customers' personal information. All three companies have since taken
additional steps to further mitigate the risks resulting from pretexting and
unauthorized access to personal records. The Office of the Privacy
Commissioner is generally satisfied that all three companies have put in place
an adequate set of measures to address the problems.Nonetheless, the Assistant Commissioner says the companies should have
been better prepared to deal with social engineering in the first place. The
issue of data brokers using social engineering to obtain call records in the
United States had been in the news some time before these incidents occurred."It's particularly troubling that not enough was done to let call centre
employees know about this kind of threat," says Assistant Commissioner
D'Aoust."Given the prevalence of identity theft, it is absolutely crucial that
all companies adopt strong authentication processes to help ensure that they
are providing information to someone who is actually authorized to have that
information. It is equally vital that companies ensure that their employees
are following these processes and are aware of the threats to personal
information that pretexting poses."The OPC has developed Guidelines for Identification and Authentication on
its web site.A summary of findings in the three cases is also available on the web
site.New laws in the US have recently made it an offence to use pretexting to
obtain individuals' phone records in an effort to curb the activities of US
information brokers, including Locatecell.com. However, this does not mean the
problem has gone away either in the US, or elsewhere, particularly in other
countries, including Canada, where no similar legislation yet exists.In an appearance before a Parliamentary committee last month,
Commissioner Stoddart called on the federal government to work collaboratively
with the provinces and international partners to adopt a range of legislative
and policy solutions to address this problem.The Privacy Commissioner of Canada is mandated by Parliament to act as an
ombudsman, advocate and guardian of privacy and the protection of personal
information rights of Canadians.
Comments
Post a comment on: Commissioner releases pretexting report