Thursday 5 January 2012

Eons of experience but a major security data protection flaw – Time to put their energy into their debt recovery systems.

Over the Christmas festivities, a bill arrived and due the impending celebrations, it was, like many other things at this time of year, overlooked. Finally, after the celebrations were complete my mind returned to things business and I, like many others, started to go through old post and outstanding issues. One of these was a bill from Eon , which I paid on the last day to pay.

Next day, I receive an automated telephone message from a company apparently identifying itself as ‘Buchanan Clark & Wells’. I have never heard of this company, but the message was clear, it stated it was not selling and was from the aforementioned company. It provided me with a telephone number and a unique reference number and insisted I call this phone number and give the reference number.

Out of curiosity, I did this, and was greeted by a vaguely pleasant person who asked me for the reference number and my name.

Now this is where things became problematic.

I, of course, would not give my name, as I pointed out they had sent me a telephone message, provided me with the unique reference number and asked me to call, they should know who I am. It would have been unwise to provide my name or any other details because they could then potentially have my name, my telephone number and any other details I gave, which could be enough for some form of identity fraud. This is especially the case, as I still had no idea who I was calling or why I was suppose to call them. The voice message left gave none of this information. I also had no knowledge that this company was legitimate and that the telephone number was actually theirs!

Of course, this is where personal data protection comes back to haunt us. It is the law in the UK that no information can be discussed with a third party over the phone without the relevant parties identifying themselves. The woman on the phone identified herself as from ‘Buchanan Clark & Wells’, but as I have already stated this meant nothing to me and could have been a switchboard in India similar to the Microsoft scam which is still doing the rounds in the UK. For all I knew, she could have been in a council flat in Glasgow raking the money in from innocent callers who returned the call. I had no way of checking the authenticity of the company or the call unless I put the phone down, Googled ‘Buchanan Clark & Wells’ or the telephone number they provided. Honestly, how many people are going to do this and why should we be expected to do this. Surely, the onus should be on them not us, the consumer!

Due to the lack of ID and I being unable to verify the authenticity of the call I had no choice but to finish the call as the woman could not provide any further clues apart from the word Eon and Buchanan Clark & Wells. This simply is not sufficient to instil trust from an automated telephone call.

Therefore, there are a number of issues that need to be addressed here:
1) The telephone message could have been received by a child, surely this is against all protocols and should be illegal. Where does that leave the consumer? Is the consumer at the mercy of the energy provider or do they have rights to opt out of this abuse? Is the message logged down somewhere as having been received or will it be resent until the client contacts the agency?
2) Why did they not rely on a human voice to do the work and cut out the middle machine? I would certainly feel better talking to a real human.
3) How do we get through security issues to do with phones, if the third party cannot provide information to you to satisfy your own internal security concerns? If Eon had said to me that there was a security word they could use that would be unique to me then this might have helped.
4) How can ‘Buchanan Clark & Wells’ be allowed to use such poor security as this is open to abuse and replication by unscrupulous people. The obvious scam is to just dial a number using an automatic dialling machine and provide the same unique number to all callers and the same false telephone number and identify yourself as Imagonna Scamunow and I am sure that many people, like myself would return the call out of curiosity. For the scam to succeed the person on the other end of the phone has to suggest that the caller owes a utility company £X,000 and that they are a debt recovery agency. This could be followed by an insistence that this bill is paid instantly or immediate legal action will follow. Most people, I am sure would, without thinking would provide their name, address and credit card details.
5) How can the Legal Ombudsman allow companies to use such poor practices and condone a potential obvious security flaw?
6) How can we, as consumers, use the power of our money to show companies like Eon and ‘Buchanan Clark & Wells’ that their shoddy work practices are unacceptable?
7) How can we get the law of third party caller identification and data protection reviewed to be in line with today’s needs for security and information, two concepts that might not go hand in hand.
8) What new systems need to be developed to provide consumer safety against this sort of scam. Potentially this could have worse ramifications than the Microsoft Scam.
9) Can we as consumers take action against the company, in this case Eon for endorsing such a blatant breach of all things credible to human rights and data protection?