Anti-virus service provider steps up safeguards after customer personal information fraudulently used by someone posing as an employee

Early resolved case summary #2015-05

June 28, 2015


Lessons Learned

  • Organizations must protect personal information they have collected by implementing security safeguards that protect against loss or theft, unauthorized access, disclosure, copying, use, or modification, including actions by the organization’s own employees. The Office of the Privacy Commissioner of Canada has developed a self-assessment tool for organizations, designed to help organizations evaluate how well they are protecting and safeguarding personal information.
  • Organizations must put in place procedures to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use.
  • Organizations must investigate all complaints. If a complaint is found to be justified, the organization must take appropriate measures, including, if necessary, amending its policies and practices.

Complaint summary

A couple received a phone call from someone claiming they represented the company with which the couple had taken out a service contract for computer virus protection. The caller asked for remote access to their computer, claiming that their computer had been hacked. The couple was suspicious of the call and refused access.

To verify their suspicions, one of them later contacted the company directly. She was told that the call was a hoax since the company’s technicians do not contact customers in this manner.

Later that same day, another call was received at home by the individual’s spouse from someone claiming to be a technician from the company. When the spouse told the caller they had serious doubts about the technician’s validity, the caller reassured the spouse by telling him the couple’s private account number. Persuaded it was a legitimate call, the spouse then allowed the caller remote access to the couple’s computer so the caller could “fix the problem”.

The caller then offered the spouse a reduced price for the couple’s ongoing service contract as retribution for the hacking that had purportedly occurred. The spouse was told that if he accepted, he would be refunded the original contract amount he had paid. The spouse agreed to the new lower price and allowed a second payment to go through on his credit card, with the expectation that the previous charge would be refunded. However, when he checked his next credit card statement, he noticed that he had not been refunded the original amount as promised. Moreover, the second payment had gone through and was billed by an unknown party, i.e., a company name that the couple did not recognize.

Results of the couple’s subsequent research concluded that the unknown party was in fact a marketing company, not the original service provider. Believing that at least two companies had by then accessed their computer and personal information, they cancelled their credit cards, notified credit bureaus of the fraudulent use, and changed their passcodes. When they reported the matter to their credit card company, it agreed that the transaction was fraudulent and reversed the second payment that had been made on their account by the marketing company.

However, despite several subsequent attempts, the couple was unsuccessful in persuading customer service agents at the actual service provider to investigate the apparent fraud and impersonation of one of their employees. They then turned to our Office to look into the matter and find out how the marketing company had obtained their private account number from the service provider.

Outcome

Our Office contacted the service provider and requested that it conduct an investigation as required by Principle 4.10.4 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The investigation revealed that one employee had accessed the complainant's account for no legitimate reason. The company reported that the employee had since been dismissed. The service provider then contacted the individuals affected, apologized and reimbursed them in full the original (higher) amount they had paid for their service contract.

The company also responded by putting in place an auditing system so that if the number of customer files accessed by an employee ever exceeds the number of customer calls received, an alert is sent to its risk department for investigation. As well, in light of the difficulty experienced by the couple in reaching the company and having their privacy concerns addressed, the company informed us that it had implemented a new, more streamlined procedure to escalate privacy concerns to management's attention.

When the couple was informed of these changes, they indicated that they were satisfied with the outcome.

Date modified: