Carphone Warehouse You Have a Duty of Care With Customer’s Privacy!

Filling time whilst in a shopping centre with one’s family is a well learnt male skill. For those with more middle of the road interests it’s off to WH Smith’s for a browse of the car magazines, for those of us with more geek’fu it’s a trawl of the mobile shops to toy with the latest shiny goodies.

At the weekend I happened to be in Carphone Warehouse’s big open store at Bluewater for one such time wasting fondle session and happened upon a wall full of working phones ripe for a quick look see.  It is all too rare to find phone shops with a happy attitude towards breaking boxes and sticking real working phones out there for customers to try, sadly reverting to the stock compressed cardboard or hollow shell imitations. So given such choice it the  HTC Sensation was an obvious place to start, it is basically an updated version of my current Desire HD so a comparison seemed fair.

What didn’t seem right was that when the screen came to life it was showing someone’s Facebook wall.  Odd but not it’s not unheard of for a fellow fiddler to have used an instore demo device to have a sneaky poke and forget to log out.

I did the decent thing and left a “you muppet” type post on his wall and logged the phone out.  But when the homescreen came up it was obvious something far more worrisome was going on. 

The homescreen wasn’t a stock HTC Rosie layout with loads of widgets and apps being moved, there were update and email notifications in the status bar, their were matched contacts awaiting approval.

A quick and very discreet look around pointed to this phone having actually been setup from new by someone. Not setup as in just having a play in a shop, but setup by someone sitting around with enough time on their hands to get the phone how they wanted it.  This was obviously a customer returns phone that had been stuck back on display with no thought.

There were of course a number of things I could do. I could have notified one of the half a dozen bored looking staff chatting to each other in the middle of the store whilst customers stood around idle; but honestly if those same staff couldn’t have been bothered to check a returns phone what hope was there now.  I could have had a proper play with his “Scott’s” accounts or even hijacked a few of them. I didn’t, I took the kinder option and hit the magic half a dozen keys strokes to wipe the SD care and factory reset the phone.

The point of this is our smartphones contain a wealth of personal information from our intimate sharings with loved ones through to our TV preferences through to the keys to our email and bank accounts.   It’s all too easy nowadays to pick up a new phone, log into the cloud and for the handset to be automagically populated with our stuff.  BUT retailers have a duty of care when handling those devices, whether it’s for repair or return in ensuring that personal information goes no further.

What appears to have happened here is akin to giving your plumber with house keys to fix a leaky tap and them walking away leaving the front door wide open.

It’s not acceptable.

Anyone from Carphone Warehouse around because I’d love to hear your thoughts?

Hell – The Right Approach to a Data Breach

There are any number of approaches to data breaches in business today.  Whilst regulation is ever trying to get to the point where notification of breach is mandatory there are still plenty of businesses out there who will go to all sorts of lengths to sweep things under the carpet rather than own up.

Not so Hell – a truly rocking pizza company in New Zealand.  Certainly no stranger to controversy – some of their marketing campaigns have been widely criticised, Hell seems to be taking the bull-by-the-horns and going all out to keep people happy.

Today I received an email from them…

Dear Valued Hell Customer,

We have been approached by a party claiming to be in possession of
customer details from the previous Hell website which is no longer in
operation.  The samples that we received included details of four customers
from 2006, including phone numbers and email addresses and order
information. We can confirm that credit card data was not at risk as this
is held independently on a secure banking website.

Whilst we are still investigating the matter, we can confirm that the
information was obtained without our knowledge and we have approached the
New Zealand Police with a view to lodging a formal complaint.  Hell
recognises the importance of protecting customer information and additional
security measures were implemented earlier this year when our new website
was rolled out (again, we reiterate that this is not an issue affecting the
new website). As a further security measure your may wish to consider
changing your passwords on other sites if they were the same as the old
Hell Pizza website.

We apologise for the incident and any inconvenience that this may have
caused.

Sincerely,
Stu McMullin – Director Hell Pizza

We acknowledge that some of you have asked to be removed from the database
and we have only included you for the purposes of this notification.

No mucking about, no bull just a straight forward there might be a problem, we know, the police know so go do this just to be safe.

This IS the right approach to notification in my opinion.

I’m not totally up to date on NZ privacy law (a couple of years out of date), so it could well be that by now notification is mandatory.  Even if it is, props to Hell for getting it out there.

FYI: Hell pizza really is very very good.  Think PIzza Express with attitude.  Even better you can get them in the Hell Pizza UK – well London with branches in Fulham, Shepherds Bush and Clapham.