Tuesday, July 10, 2007

Commissioner releases pretexting report

You may recall some time ago when pretexting made the headlines in Canada after a MacLean's reporter purchased the Privacy Commissioner's phone records (Canadian Privacy Law Blog: That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net). Today the Commissioner released a finding into the incident, accompanied by a big media release:

Data broker exploits human error, weak safeguards to access phone records

July 10, 2007

PIPEDA Case summary #372: Disclosures to data brokers expose weaknesses in telecoms’ safeguards

Here's the release:

Data broker exploits human error, weak safeguards to access phone records

OTTAWA, July 10 /CNW Telbec/ - Recent experience has shown Canadian companies must take precautions to ensure personal information and customer data is not vulnerable to data thieves and pretexters. Strong identification and authentication procedures are essential in blocking unauthorized attempts to access the personal information of Canadians.

An investigation by the Office of the Privacy Commissioner of Canada (OPC) has found that human error and weaknesses in the policies and procedures of three telecommunications companies allowed a data broker to gain unauthorized access to personal phone records.

The investigation was prompted by an article in Maclean's alleging the magazine had been able to purchase the telephone records of Privacy Commissioner Jennifer Stoddart and a senior Maclean's editor from US-based data broker Locatecell.com.

The investigation found that Locatecell.com used "social engineering" to trick phone company customer service representatives into divulging confidential information, either in the specific instances alleged and/or subsequent test cases. Social engineering involves manipulating people into divulging personal information, for example, by pretexting, or pretending to be someone authorized to obtain the information.

The OPC looked at improper disclosures of personal information to pretexters seeking to gain unauthorized access to phone records of individuals without their knowledge or consent. The three companies investigated were Bell Canada, Telus Mobility and Fido.

"In each case, we found that customer service representatives had not followed the companies' established authentication procedures. We also found that training of customer service representatives was not comprehensive enough to protect customers' personal information from illegal access by pretexters," says Assistant Commissioner Raymond D'Aoust. "As a result, the three companies failed to meet the requirements of the Protection of Personal Information and Electronic Documents Act (PIPEDA)."

All three companies revised their customer authentication procedures shortly after the disclosures took place. The OPC reviewed those changes and recommended further steps to address weaknesses in their policies and procedures to prevent unauthorized individuals from gaining access to customers' personal information. All three companies have since taken additional steps to further mitigate the risks resulting from pretexting and unauthorized access to personal records. The Office of the Privacy Commissioner is generally satisfied that all three companies have put in place an adequate set of measures to address the problems.

Nonetheless, the Assistant Commissioner says the companies should have been better prepared to deal with social engineering in the first place. The issue of data brokers using social engineering to obtain call records in the United States had been in the news some time before these incidents occurred.

"It's particularly troubling that not enough was done to let call centre employees know about this kind of threat," says Assistant Commissioner D'Aoust.

"Given the prevalence of identity theft, it is absolutely crucial that all companies adopt strong authentication processes to help ensure that they are providing information to someone who is actually authorized to have that information. It is equally vital that companies ensure that their employees are following these processes and are aware of the threats to personal information that pretexting poses."

The OPC has developed Guidelines for Identification and Authentication on its web site.

A summary of findings in the three cases is also available on the web site.

New laws in the US have recently made it an offence to use pretexting to obtain individuals' phone records in an effort to curb the activities of US information brokers, including Locatecell.com. However, this does not mean the problem has gone away either in the US, or elsewhere, particularly in other countries, including Canada, where no similar legislation yet exists.

In an appearance before a Parliamentary committee last month, Commissioner Stoddart called on the federal government to work collaboratively with the provinces and international partners to adopt a range of legislative and policy solutions to address this problem.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

No comments: