Given the focus and media attention on data breaches over recent years which have affected probably most major names you’ve bought something from, why do companies still find it so difficult to educate customer services staff on safe ways of handling customer queries and complaints?

Not convinced?  Take a look at this visualisation of reported breaches over the last decade.  https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

I opened a Vodafone mobile broadband account to bridge a gap between ISPs and needed it for only three weeks, the transaction was seamless and in 24 hours a Mobile WiFi gadget was sent to my home and I was up and running in minutes.  It was Pay-As-You-Go with no minimum contract term, and so after three weeks lock down was well underway, and to their credit my ISP connected me up as promised and so I had no need for the mobile dongle…  I managed to speak to customer services rep who was working from home (I remember thinking what an ethical company supporting staff during the pandemic) and my contract was cancelled.  All seamless and a fantastic customer experience… or so I thought…

Vodafone have now been taking direct debits for an extra two months after the disconnection date which is beyond the agreed payments.  I try and contact Vodafone again, but no one is manning the phones in the call centres any more due to covid-19 the service is understandably pared back.

The automation robots are unable to help as they don’t understand the enquiry, so I took to social media and Twitter to ask for help.  That did the trick!  Within a few minutes a helpful Social Media Rep answered my cries for help and a DM was sent.

Why would anyone want to give their data of birth over an insecure social media connection? Madness, I tell ya, madness…

Applying the Principles of GDPR and the minimum information required to identify me, I provided: –

• Year of Birth
• Post Code
• Email Address
• The last two digits of Sort-Code
• Bill Amount
• Account Number

That should be more than sufficient to identify me as a customer, especially as my query is in relation to a closed account which I’m flagging the fact they’ve erroneously taken an extra two months payments via Direct-Debit.

Apparently “None Shall Pass”…

We’re at a stalemate…  I’m not prepared to provide my full DOB on a social media channel and equally a corporation as large as Vodafone should not be asking customers to do so, after all this information can trivially be used for identity theft at a minimum.  This is where better education for contact centre staff is needed.  The number of times I hear GDPR misquoted and paid a pound, I could retire by the time I’m 65…

Needless to say, it’s Monday, I finally make contact via their website and all I had to provide was the account number and the last two digits of my sort code to ID&V me as a customer.  Talk about a disconnected approach to security checks and customer experience.  None the less the issue was resolved quickly.

Of course, this conversation and experience could be applied to any company we do business with on the internet, it just so happens that this was my experience over the weekend…

Whilst we have standards that cover payment cards i.e. PCI-DSS it amazes me that even in 2020 we don’t have an industry standard for processing and storing non cardholder customer data, which we see appear in the numerous breaches occurring world-wide due to storage of unencrypted data, or contact centre staff recording details of customer information that’s made available for sale on the Dark Web or even the less than Dark Web…

We need to better educate industries and customers about GDPR, Data Protection, Encryption of Data and standards for Identity and Verification of not only the customer, but also the contact centre staff and sponsoring exec, to ensure a seamless and consistent experience.

How many times have you received a phone call from a utility company or bank that has a withheld number and asks you for your date of birth, name and home address?  We need an additional factor, a secret word or phrase that is stored on their databases that we as customers can challenge the enquiring company to help prove or provide confidence it isn’t a scam call…. That’s not to say without proper handling that data couldn’t be compromised, and we know that in today’s tech world, caller ID on your phone is no guarantee that it’s the real number calling you as these can be trivially spoofed with the right equipment…

It requires a step change in all industries to invest and agree standards for storing and processing data to make it harder for the data to be viable post breach…

Then again, if you were smart enough to collate all the data from the breaches that have occurred to date, you could profile the public with sufficient detail to fool the most ardent of AI Fraud Detection Services… but that’s a post for another day…

https://www.linkedin.com/pulse/none-shall-pass-jason-brooks-cissp