Down these mean streets a man must go

by | Nov 21, 2013 | Data Protection, ICO, Information Security | 3 comments

Especially given my last blog accused the Information Commissioner’s Office of incompetence, it’s nice to be able to celebrate an aspect of their work. Yesterday, the directors of ICU Investigations (geddit?) and the company itself were convicted of blagging data from a variety of organisations, for a variety of organisations. If you’re expecting me to find some aspect of this story to use a stick to beat the Commissioner with, not today. It’s a triumph. Five employees had already plead guilty, but by successfully prosecuting the Directors, the Commissioner has sent a powerful message to other organisations who might be tempted to blag and specifically, employers who might seek to blame errant staff. The only downside to the prosecution is the paltry punishments available to the court, but again, the ICO cannot be blamed for that. Christopher Graham has run a consistent campaign to transform the fines for data theft into something more effective, and this is no exception. His statement on the case said:

The public expects to see firmer action taken against people who break the rules in this area, and Parliament needs to recognise that. I spoke with the Home Secretary Theresa May on this matter earlier this week to urge her to introduce more effective sentences for these kinds of offences, and she has agreed to meet me to discuss the matter. That conversation needs to result in action.

So, to the ICO, I say keep up the good work. For everyone else associated with this story, some serious questions need to be answered. GP surgeries, hospitals, British Gas, EON Energy and TV Licensing were among the organisations that volunteered information to the blaggers. Principle 7 of the Data Protection Act requires organisations to have a range of technical and organisation measures in place, but checking that the man who phones up is who he says he is is one of the most basic. Very few of my trainees ever treats this news as a revelation. And yet ICU’s devious methods were to ring up and….. say they were someone they weren’t. BBC News played a number of call recordings, and one of them should be available here

The cheery, breezy manner is very effective, but there is no skill, no special technique. They rely solely on the person on the other end of the phone being too polite or hurried to question them. In case you’re wondering, a simple technique with an external organisation is ring them back via their switchboard number (which you find out yourself), not via any number they give you. All you need to do with a customer is ask them a question only they would know the answer to (a PIN number, a password, the last payment they made). It used to be common practice to ask for mother’s maiden name or first pet, but given the amount of this kind of info willingly disgorged by people onto Facebook, something account-related is probably better.

Everyone who gave information to ICU (and everyone who will today give information to one of ICU’s many competitors) is legally obliged to have in place procedures and training so that every person answering calls and emails is on their guard. And more importantly than the legal obligation, they owe their customers the courtesy of valuing and protecting their information. The BBC reported that one of the most frequent targets was TV Licensing, which is one of the BBC’s functions but which has for many years been outsourced to Capita. The overwhelming majority of us have no choice but to pay for a TV license, and we are owed more than the mealy-mouthed ‘we’ve tightened up procedures’ hogwash that the Corporation has squeaked out so far.

The organisations who gave out the information are not the only ones who should be examining their actions today. The ICO reports that ICU’s clients included Allianz Insurance PLC, Brighton & Hove Council, Leeds Building Society and Dee Valley Water.. A quick trip to ICU’s testimonials page also reveals recommendations from ‘a major gas supplier’ and ‘a rural local authority’. The first thing is that it’s entirely possible that ICU’s client list also included some of its targets. More importantly, there is a word that keeps popping up through the comments: ‘prompt‘. The scrolling news on ICU’s site has unsurprisingly not been updated to include the court case, but it does contain this fascinating product:

NEW Emergency Trace Reports
ICU supply emergency trace reports within 24 Hours for customers with urgent court deadlines or financial targets to meet. These will be offered at the same cost as 48 Hour Express services (for regular customers)

The ICO was quick to exonerate the clients: “The information requested could typically have been obtained legitimately, and there was no evidence clients were aware the data had been obtained by illegal means.” But I’d like to pick at that scab. I don’t think the Commissioner should look any further – there are clear guilty parties in this case and they’ve been dealt with. I’m certain that the clients didn’t know personal data was being stolen. The question is, were they at least naive in not asking whether it might be?

In the same way that organisations who gave out the information have to tighten their procedures (and ought to apologise), the clients should ask themselves where they thought the trace information was coming from. Of course, a Private Investigations firm might have techniques that we can only guess at. However, I have met and trained a lot of people who work in debt recovery which is exactly the kind of tracing that ICU could assist with. In-house debt recovery people spend a lot of time knocking on doors, talking to relatives and neighbours, visiting previous addresses. It’s slow, tedious and laborious work, and the information you get is sometimes useless because it is wrong or out of date. But it’s legal. I’ve helped a lot of organisations in their attempts to get address and other information from third party organisations. It requires patient explanation of the Data Protection Act and carries no guarantee of success. But it’s legal. And then, of course, there is the court order – expensive and time-consuming. But, by definition, it’s legal.

If any organisation can quickly provide you with accurate information about a person’s location, in my opinion, there are only two possibilities and I would welcome any suggestion about any other. Either the information is available publicly (via an official source, or Facebook similar social media site) or it is obtained by questionable, if not downright illegal means. If information is available publicly, then why are organisations hiring private detectives to find it? In my second plug for Act Now this week, you can even go on courses that teach you how to do it yourselves. If information cannot be obtained from a public source, then unless you believe in magic, it’s very hard to understand how it can be sourced quickly and yet also legally. The ICO rightly went after the private investigators here, but nobody should be complacent.

There is a black market in stolen information in the UK, and even the ICO’s admirable efforts here probably only scratch the surface. The problem will not be solved unless organisations stop leaking information, and ask themselves searching questions about how the information they use was obtained.