Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2007-372

Disclosures to data brokers expose weaknesses in telecoms’ safeguards

[Principles 4.3, 4.7, 4.7.1; section 2]

The November 21, 2005, edition of Maclean’s magazine contained an account of how the magazine obtained records of telephone calls made by the Privacy Commissioner of Canada, Ms. Jennifer Stoddart, from her home telephone and Office BlackBerry numbers, as well as the cell phone records of an unnamed Maclean’s senior editor. The records in question were purchased by the reporter from Locatecell.com, a U.S. data broker, which had, in turn, obtained them from Canadian telecommunications companies, Bell, TELUS Mobility, and Fido. Concerned about how these disclosures could happen, the Assistant Privacy Commissioner initiated complaints against the Canadian companies.Footnote 1

The investigations revealed that Locatecell.com had used “social engineering” to successfully circumvent the customer authentication procedures of Bell and TELUS Mobility.  Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.  Pretexting is one such technique and is the act of creating and using an invented scenario to obtain information from a target, usually over the telephone. In the cases at hand, there was no evidence that anyone had hacked into the companies’ systems or that the disclosures were made by rogue employees.

It was established that employees in all three organizations did not follow customer authentication procedures and thereby failed to adequately protect customer personal information. The Assistant Commissioner concluded that neither the companies’ authentication procedures nor the training of their Customer Service Representatives (CSRs) was sufficiently comprehensive to protect their customers’ personal information or to meet the requirements of the Act.

The Office was disappointed that these organizations were not better prepared. Social engineering is a known threat to the confidentiality of customer personal information, and the specific issue of data brokers obtaining call records had arisen in the United States the summer before the events described in these complaints. The Assistant Commissioner was therefore particularly troubled that not enough had been done to alert employees to such threats and thereby prevent the disclosure of customer personal information.

Nevertheless, the Assistant Commissioner was pleased that all three companies revised their customer authentication procedures shortly after the disclosures took place. Although the companies had introduced important changes, the Assistant Commissioner was of the view that they could take further steps to address the weaknesses in their policies and procedures with respect to unauthorized individuals gaining access to customer personal information. He recommended further changes to CSR training and to procedures on disclosing personal information and authentication in order to mitigate the threat of access to personal information by unauthorized persons. The companies implemented all of the measures except one, for which they proposed other actions that were found acceptable by the Assistant Commissioner. As a result, the Assistant Commissioner found that the complaints against all three companies were well-founded, but have since been resolved given the corrective actions taken by the organizations.

The following is additional information on the investigations and the Assistant Commissioner’s deliberations, specific to each company.

Summary of Investigation #1 – Bell Canada

The Maclean’s reporter was able to obtain details of telephone calls on Ms. Stoddart’s two Bell Canada accounts, which he stated he had obtained from Locatecell.com. Ms. Stoddart did not have knowledge of, nor did she give consent to, this disclosure of her telephone call details by Bell.

After learning of the matter, Bell conducted a review of its systems and concluded that they had not been technically hacked into. There was also no evidence of suspicious internal activity involving any employee. After further testing, it was determined that customer personal information was obtained through a process known as “social engineering.”

By analyzing Bell’s automated voice system logs, the company determined that on November 2, 2005, a number of calls from the United States were made to a number of specific Bell Customer Service lines. Most of the calls were handled by the automated voice system. Attempts had been made to access the self-service applications on the system, but these were unsuccessful because the caller was not able to get through the validation process.

In two of the calls, the caller was redirected to a CSR. Bell Canada identified the CSRs who handled the calls. One of them no longer works for Bell and could not be reached. The other CSR stated that she did not remember the call given the volume of calls she handles every day, many concerning billing inquiries.

When the Locatecell.com records were compared to Bell’s billing records, they did not reflect the original request and contained numerous discrepancies, which were consistent with numbers being disclosed verbally while someone is trying to simultaneously type them on a keyboard. No copies of any Bell bills were disclosed by Bell to Locatecell.com. Rather, the call detail information was provided verbally by the CSR over the telephone.

In order to determine how Locatecell.com was able to obtain the call records, Bell submitted a request for information via the Locatecell.com site. Two calls were placed from the same US locations as the earlier calls. Locatecell.com responded to the test request on the same day, providing the information that had been requested.

Bell identified the CSRs who handled these calls from Locatecell.com. In both cases, the caller used pretexting techniques and the CSRs failed to authenticate the caller before divulging call record details.

Further testing was done by Bell. The data broker again relied on pretexting to obtain call record information. In one instance, he was successful, but not in the other.

The Office reviewed the company’s validation procedures in place at the time of the incident, subsequent test calls, as well as the corrective action taken. Following the incident and subsequent testing, Bell promptly amended its validation procedures to further protect against the use of pretexting to gain unauthorized access to customer information and issued reminders and provided additional training to CSRs on the importance of customer confidentiality and compliance with its validation procedures. Bell further amended these procedures a few months later, taking into account negative customer feedback about the amount of information they had to provide during the validation process.

Customers for some time have had the option of establishing a password on their account. If there is a password on an account, the customer has to provide it in order to be validated.  CSRs are further instructed to offer the password service to customers with various concerns, including privacy concerns.

CSRs receive training on authenticating customers as part of their initial employee training. They have easy access to all of the company’s practices and receive information on all new procedures. CSRs were given face-to-face training on the new customer validation procedures, and coaching of CSRs is ongoing.

We spoke to the CSRs who were involved in the test calls, as well as the one who disclosed Ms. Stoddart’s call records. All acknowledged having received training on customer validation during their initial employee training. They claimed that they received no subsequent customer validation training until the new procedures were implemented in late 2005. On the subject of confidentiality of customer information, two were familiar with this concept and acknowledged having received training on privacy and ethics. The other two CSRs were not familiar with it and claimed that they had not received training on privacy and ethics. 

With regard to confidentiality of customer information, employees are required to sign off annually on the company’s code of conduct, which includes a section on customer privacy. Employees are given an array of documents, which we reviewed, concerning the company’s privacy policy and specifically the confidentiality of customer records.

On November 14, 2005, Bell issued a press release that reinforced the importance of protecting customer information. Bell pointed out that subterfuge and misrepresentation had been used, and that the companies and customers involved were victims of fraud. The release stated that Bell had tightened its safeguards, recognizing that this would cause some inconvenience to customers legitimately requesting their personal information. It also noted that the company was continuing its efforts to investigate whether there was any legal action that would stop the fraudulent practices.

This case triggered the following sections of the Personal Information Protection and Electronic Documents Act (the Act): Principle 4.3, which states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

In making his determinations with regard to Bell, the Assistant Commissioner deliberated as follows:

  • There was no dispute that Bell had disclosed to Locatecell.com the call records associated with Ms. Stoddart’s two telephone accounts without her knowledge or consent, contrary to Principle 4.3.
  • The circumstances under which the disclosure occurred could not be determined except that the records were disclosed verbally by two CSRs.
  • The Assistant Commissioner was concerned that subsequent tests of Locatecell.com services by Bell revealed that some Bell CSRs were not following customer authentication policies and procedures, contrary to Principles 4.7 and 4.7.1.
  • As a result of the disclosure, Bell revised its customer authentication procedures and undertook to train its CSRs on the new procedures. Bell has also introduced, in 2007, a new “voice recognition service” in its automated voice system that allows customers who so desire to enrol in the service and use it as their method of authentication.

Summary of Investigation #2 – TELUS Mobility

The reporter also obtained a record of cell phone calls on a TELUS Mobility account from Locatecell.com. The call records in question were initially assumed to be associated with Ms. Stoddart’s Office-issued BlackBerry number, but were later determined to be associated with an Office staff member’s Office BlackBerry number.

TELUS Mobility was able to determine which client care representative (CCR) disclosed the information. Pretexting was again used by the data broker. The CCR in this case was a relatively new employee, and in an attempt to be helpful, disclosed call record information and did not properly authenticate the caller according to established procedures.

Attempts were made by the caller to access the account information via TELUS Mobility’s Integrated Voice Recognition system, but were unsuccessful as the caller was unable to thwart the validation process.

As for why the Office employee’s call records were disclosed instead of Ms. Stoddart’s, which were requested, it was surmised that since the employee’s BlackBerry number appears on the same corporate account as Ms. Stoddart’s BlackBerry number, the CCR may have inadvertently accessed the account information associated with the employee instead of account information associated with Ms. Stoddart, as requested by the caller.

The caller asked to review three bills—August, September and October. He asked for the date and number of each call, and how many times in a day the same number appeared. Once the CCR had given him the calls for the September and October billing period, he said that was enough and the call ended.

About a week after the call, during a regular meeting with her manager, the CCR mentioned the call as it had raised her suspicions. The employee was coached on what steps she should take in the future when confronted with a suspicious call.

According to TELUS Mobility, on average, it processes several million incoming customer calls per year, and prior to this incident it had not had any reports of similar incidents.

We compared the actual invoice information for the Office employee’s number with the calls that Locatecell.com provided to Maclean’s in response to its request for Ms. Stoddart’s information. We noted errors and omissions, which appeared to be consistent with information being provided verbally at a fairly rapid pace.

Ms. Stoddart’s and the Office employee’s BlackBerrys are part of the Office’s corporate account. At the time of the disclosure, there was no PIN on the account.  TELUS Mobility has specific validation procedures for a call handled by a CCR concerning a corporate account without a PIN. 

CCRs receive training on authentication procedures as part of their initial employee training. CCRs can access the procedures at any time. TELUS Mobility also sends periodic reminders to CCRs on authentication.

TELUS Mobility provided documentation to the Office regarding the evaluation of CCRs, postings on verification procedures, and other training materials which include information on social engineering. CCRs are also required to complete learning programs that make reference to the protection of customer information. Two of these courses must be completed annually.

TELUS Mobility took a number of steps to address the issue, including providing information to employees on social engineering and stressing the importance of following established procedures. Further amendments to these procedures may be made.

In order to determine the methods used by Locatecell.com and other information brokers, TELUS Mobility conducted tests of their services. Only one of TELUS Mobility’s e-mail requests to the data brokers was acknowledged, but no records were forwarded to it by any of the brokers.

In this specific case, the following sections of the Act were relevant: Section 2 defines personal information as information about an identifiable individual. Principle 4.3, which states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

  • On the matter of personal information, TELUS contended that the information obtained by Locatecell.com did not constitute personal information within the meaning of section 2 of the Act. It argued that:
    • A record of calls made by an employee for work-related purposes from an employer-provided telephone should be viewed as the employer’s business information rather than the employee’s personal information.
    • The BlackBerry number was the telephone number of an employee of an organization and therefore was excluded from the section 2 definition of personal information.
    • A list of numbers called was associated with an employee rather than being about an employee. Thus, it should be considered work-product information.
    • Locatecell.com did not know that the records it obtained were the employee’s and not Ms. Stoddart’s and would not have been able to associate the records with the employee. Therefore, it was not information about an identifiable individual.

In making his determinations with regard to TELUS, the Assistant Commissioner deliberated as follows:

  • He asserted that the cell phone records are indeed personal information and reasoned that:
    • The Act makes no distinction between personal information and business information. Who an employee chooses to call while at work, including personal calls, is that individual’s personal information.
    • What was at issue in the complaint is not the employee’s cell phone number but her entire calling history.
    • An employee’s calling history is not the tangible result of his or her work but represents the manner in which that employee does his or her work in order to achieve a work-product. As such, the calling history should be considered personal information “about” that employee.
    • The fact that TELUS Mobility did not disclose the personal information of the person requested does not mean that TELUS Mobility did not disclose information about an identifiable individual. Even though the name of the BlackBerry holder was not expressly released together with her call record does not mean that the individual could not be identified. Had Locatecell.com or the journalist (or anyone else for that matter) called everyone on the call record list, there was indeed a serious possibility that they would be able to piece together enough information so as to eventually be able to ascertain the correct identity of the BlackBerry holder. Therefore, the call record when taken in its entirety in the present context was information about an “identifiable” individual.
  • There was no disputing that TELUS Mobility disclosed to Locatecell.com the call records associated with the Office employee’s BlackBerry without her knowledge or consent, contrary to Principle 4.3. The disclosure occurred because the CCR did not verify that the caller requesting the information had the authority to obtain the information.
  • Furthermore, at the time, TELUS Mobility did not have procedures in place to address the scenario that led to the disclosure, in contravention of Principle 4.7 and 4.7.1. TELUS has since changed its procedures.
  • The Assistant Commissioner pointed out that other factors in the disclosure were the inexperience of the CCR and the fact that the tactics employed by information brokers were not covered in her training. CCRS have since been issued several bulletins on tactics used by brokers.
  • TELUS Mobility also took a number of other steps to prevent such disclosures from occurring in the future.

Summary of Investigation #3 – Fido

The November 21, 2005, edition of Maclean’s magazine also contains an account of how the magazine obtained the Fido cell phone records of an unnamed Maclean’s senior editor from Locatecell.com. The reporter, however, would not disclose the editor’s name to either Fido or our Office. Fido was therefore unable to provide any specific details about the alleged disclosure.

Fido, like Bell and TELUS Mobility, tested Locatecell.com’s services in order to determine whether the data broker could obtain customer call detail information as the Maclean’s article claimed. It submitted a request and Locatecell.com provided Fido with the requested call details. To find out how Locatecell.com obtained the information, the company tracked all CSR activity on specific customer accounts in order to view the CSR notes and actions. Fido then made two purchases from Locatecell.com on the monitored accounts. In one case, Locatecell.com was able to obtain call details.

Fido determined that the information was not disclosed by a dishonest employee nor was the disclosure the result of any hacking into its systems; rather the broker, as in the Bell and TELUS cases, relied on pretexting to obtain the records.

This case raised the following provisions of the Act: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

The specific allegation in Maclean’s that an editor’s Fido call records were disclosed without knowledge or consent could not be substantiated.

However, Fido conducted additional tests and found that Locatecell.com was able to obtain customer information from the company’s CSRs through pretexting. The CSRs disclosed the information without verifying the identity of the caller, contrary to Principle 4.3. The Assistant Commissioner was concerned that these tests showed that not all Fido CSRs were abiding by customer authentication policies and procedures, contrary to Principles 4.7 and 4.7.1.

Fido provided the Office with a comparison chart of its pre- and post-incident customer validation procedures for both Fido and Rogers Wireless (Fido is a subsidiary of Rogers Wireless Inc.). Customer validation is mandatory by all CSRs, and the CSR disclosing information is responsible for validating the customer.

As a result of the incident, Fido/Rogers took steps to eliminate the ability to obtain call records through its automated system, and increased the identification required when speaking to a CSR.

All CSRs received information, which they were required to sign, on the company’s new measures. Additional measures were instituted to ensure that new CSRs know customer validation procedures. Information was also sent to all employees regarding attempts to illegally obtain customer information, and to prohibit the faxing of call details. Retail outlets were further instructed on validation. The company also conducted a review of its validation procedures.

CSRs receive training on confidentiality of customer information, including customer validation, as part of their new employee training. Information on customer validation can be easily accessed by CSRs at any time. Fido also provided documentation on confidentiality policies to which employees must adhere.

Recommended actions for Bell, TELUS Mobility and Fido

While acknowledging the measures the companies had already taken, the Assistant Commissioner believed that they could take further steps to address the weaknesses in their policies and procedures for mitigating the threat of unauthorized individuals gaining access to customer personal information.

It was therefore recommended that Bell, TELUS Mobility and Fido each undertake a number of specific actions to strengthen customer service representative training, limit personal information disclosures and improve authentication procedures.  The companies responded that they would implement his recommendations, with one exception. However, for this exception, they proposed other measures that the Assistant Commissioner found acceptable.

Accordingly, the Assistant Commissioner concluded that all three complaints were well-founded and resolved.

The Assistant Commissioner provided the companies with a copy of our Guidelines for Identification and Authentication, and highlighted for their consideration sections concerning authentication factors and audit.

The Assistant Commissioner acknowledged that customers may object to some of the changes implemented by the companies. He noted, however, the role that the individual plays in the protection of her or his personal information by questioning and avoiding the use of weak authentication processes, by choosing strong authenticators (for example, passwords and PINs that are random and difficult to guess), and by responsibly and continuously safeguarding their identifiers and authenticators. Organizations can ease the situation by providing customers with general information on the importance of authentication.

Update on data brokers

The situation in the United States regarding data brokers such as Locatecell.com has changed in the last few months, with draft legislation being introduced, at both the state and federal levels, to make it an offence to use pretexting techniques to obtain, sell, or solicit others to obtain phone records. Some of this legislation has been passed into law. Moreover, several lawsuits have been filed against Locatecell.com by various organizations, including telephone companies. Bell obtained an injunction against Locatecell.com, its principals and several related companies, prohibiting them from attempting to obtain customer information. TELUS Mobility had also engaged US legal counsel to initiate action against the operators of Locatecell.com, but later dropped this course of action when it became apparent that Locatecell.com had ceased business operations. Indeed, US information broker activities have been stopped in many cases or minimized. Many of the broker websites are unavailable, and the site for Locatecell.com has been inoperative for some time.

Nevertheless, this does not necessarily mean that the threat to the confidentiality of personal information has vanished or that databrokers have disappeared from the U.S. or other countries (particularly those that do not have similar pretexting laws). In Canada, a private member’s bill, Bill C-299 was introduced in the House of Commons on May 17, 2006.  The purpose of the bill as originally drafted was to protect individuals against the collection of their personal information through fraud and impersonation (pretexting). To date, the bill in its original form has not been passed into law.

As noted in our Guidelines, threats to personal information are constantly changing and emerging. Organizations must adapt their policies and practices to manage these new risks and protect the personal information in their care.