By Tim Ferguson, 22 June 2007 14:56
NEWS
Orange and Littlewoods have been found to be in breach of the data protection act (DPA) by the Information Commissioner's Office (ICO).
The finding relates to customer details being left open to potential fraud or retained without customer consent.
Orange call centre employees were found to be sharing log-in details for the customer information database, meaning there was no way of knowing who had accessed data.
An ICO spokeswoman said: "It [the database] was potentially open to fraudulent use. It could potentially be quite serious."
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
However, an Orange investigation found no evidence to suggest customer data was disclosed to anyone who shouldnÂ’t have access to it.
As soon as the company became aware of the issue, procedural compliance was tightened and a company-wide communication was sent out reminding employees it was against Orange policy to share log-in details.
Littlewoods were investigated after a customer continued to receive marketing material after requesting their details be removed from the company's database.
In a statement, Littlewoods said the issue affected one individual and was caused by a "clerical error which has now been rectified".
A Littlewoods spokeswoman said: "It's not indicative of a general failure to uphold the general data-protection principles."
Both companies have signed a formal undertaking with the Information Commissioner to comply with the principles of the Data Protection Act.
Paul Skinner, underwriting specialist at Chubb Insurance, said the ICO's ruling should be a "wake up call to businesses throughout the country to adopt stricter measures and working practices to protect confidential data".
If the two companies continue to fail they could be subject to further ICO action which could lead to unlimited fines in the event of the issue reaching a crown court.
Comments
There are 2 comments. Join the discussion
1. anonymous
For several YEARS I was receiving marketing material from Debenhams for a former occupier of my address. I continually requsted that their name be removed from the data base of them and their marketing company, directly by phone and in writing, and it took me YEARS to get the matter sorted. In the future I will know where to go to to get them to listen. The ICO. Am glad I do not use Orange, but are the other mobile companies doing a similar thing, I wonder. Log in sharing does exist, I know from previous employments of mine!
2. PaulW
It’s probably worse than they are aware!
While trying to get help from orange myself, the operator asked me if I was certain I used the correct spelling for my password and duly read it to me. So an Orange password is visually available to their anonymous operators.
It’s disturbing when you consider the number of people who use the same password to access several facilities, including banking. Perhaps networks should advise their customers when their passwords are not for machine eyes only.