Recently I’ve spoken to a mobile phone company about trying to cancel my contract, requesting the cancellation using their online form. Firstly, they said the email address I’d given didn’t match the one on the account, so they couldn’t do anything. I responded that they could have responded to the email address on the account for confirmation – verifying my identity is one thing, using it as an excuse for not trying to resolve the issue and take the requested action is another. However, I resent using the account address (it forwards to my current one, but in 10 years my primary email address has changed… once). In response to this, they asked for my postcode, which I duly responded. This time I got a response saying that it didn’t match what they had on record, so they couldn’t do anything.
Given that I’ve had the same address for 12 years, there shouldn’t have been any other address on record, but in case it was something like my parent’s address (again, I’m going back 10 years here, so I’m no longer 100% sure on what details I used, it’s been a while), I asked if they could confirm the first part of the postcode and (assuming it was a valid one) I could then confirm the second half. No. They couldn’t provide any information because of ‘data protection’. So I’m left with no idea what address they think I have, but I’m pretty sure it’s wrong.
However, given that I had received bills for previous contracts to my current address from this provider, I also know that they have had my current address on the system, so there should be some potential for working out that the postcode I gave them is a known address for me. However, the fallback again was that they couldn’t take any action. I even asked them to contact the email address they had for me to get confirmation (as I know if they send a message to that I’ll receive it), but no, because I couldn’t confirm some unknown but definitely incorrect address they wouldn’t do anything.
To this I cancelled my direct debit and emailed them to confirm this had been done, saying that this should be proof that I am who I say I am and that they should cancel the contract because they have no further authorisation to take payments anyway. Only then did they agree to cancel the contract.
To me this has got far beyond the point of being a reasonable process, but where I reached a point of disbelief was on the phone calls.
Having asked for a formal complaint to be be made as well as the contract cancelled, because they had been overly obstructive to cancelling the account, they phoned me. I got a call from an unlisted number, from someone claiming to be from Three wanting to speak about a recent contact. They wouldn’t provide any further details unless I provided them with my full postcode and date of birth. Now at this point I wasn’t handing over these details. I have nothing whatsoever to validate their identity, but they want me to hand over my security details. I really don’t think that a company should be demanding that their customers be willing to hand over full security details to a totally unverified caller from an unlisted number – that’s just encouraging their customers to leave themselves open to identity fraud.
I said as much. I offered to confirm part of the postcode and part of the date of birth, to which they said no, although I’m not sure the postcode bit would have helped given I was already dealing with a question about whether they had the correct address for me. I asked if they could do anything to confirm their identity to me, some piece of information that they would know, but they refused on the spurious basis of ‘data protection’. How, exactly, is it protecting my data to encourage me to hand over my security detail to a totally unknown caller?
In response to this I made a further complaint, that they were compromising customer’s data security by encouraging the risky practice of divulging security information to unknown callers. I said that since they have called the registered number, partial security information should be sufficient and would mitigate the risk, that they could provide something like an account number of the like to provide some validation of identity, and if someone is not happy to confirm details to an unlisted number, they should have a process in place to give a reference code and get the customer to look up and call a number from the company website, so that they can be confident that they are then speaking to the company and can be happy divulging that information. Additionally, I suggested that it would be simple to allow a customer to register a security word or phrase which can be used by the company to identify themselves if calling, and similarly the contact forms could prompt for a security word or phrase to use in relation to calling about that specific contact.
It’s not rocket science. There are many things which a company can do to sufficiently confirm the identity of who they are speaking to without encouraging excessively risky practices, and there are fairly straightforward practices such as those outlined above (or even just emailing a generated reference number in response to any contact form which can be quoted in any call) which can provide more than enough validation of the caller’s identity before demanding the customer confirms their identity.
Basically, a company can royally mess up data protection and customer identity security in multiple ways. They can fail to confirm who they’re speaking to, and accidentally divulge personal information that way, which obviously has to be avoided. However, they can also encourage the customer to adopt bad practices and fail to support the customer protecting their own identity security by demanding the customer compromises their own identity security for themselves. The latter is no better than the former, just probably a bit less likely to see the company in question getting fined. However, banks have realised this problem, and have adopted processes similar to the above to address this, so there’s no reason why other companies should not adopt similarly sensible practices to allow customers to protect the security of their identity. After all, in the former case, unless they’re completely reckless, then they’re unlikely to divulge sufficient information to allow the customer to be impersonated with another company, but encouraging freely divulging security information on the phone does risk exactly that. A company therefore risks causing a far more significant cost and difficulty to their customers if their ‘data protection’ processes are not sufficiently considered. Hiding behind legislation doesn’t adequately justify this – banks can manage to fulfil their identity verification requirements without creating the same risk (and will almost invariably have a process to point a customer to look up a number on the site and call back as a standard fallback), so mobile phone companies certainly can.
The ‘icing’ on the whole scenario was this: Having made a complaint about encouraging the risky practice of divulging full security information to an unlisted number caller, I received a call from the company about my complaint. Before they’d discuss the detail of my ‘contact’ with them, they ‘needed’ to verify they were speaking to the right person, and demanded I give them my full postcode and date of birth. The EXACT thing I was complaining about them doing they were doing again in ‘trying’ to address the complaint. Needless to say, I was gobsmacked by this, and told them that I was astonished that they would do that.
Needless to say I’ve no intention of giving them any further custom, despite having previously been a customer continuously for 10 years… they’ve managed to entirely reverse my opinion of them.