We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Everything Everywhere/Orange/Talk Mobile and the Data Protection Act
andy_k
Posts: 6 Forumite
How safe is your data with Orange/Everything everywhere?
Not at all would seem to be the answer.
At the weekend my 16 year old step-son rang up Orange (to ask a question and see if he could transfer his old number on my account to his new sim to his Dad's Orange account) and without knowing the password to either account or being able to answer the security questions properly he was allowed access and was able to transfer the sim from the other account to mine!
He is not named on the account anywhere, he has a different surname to mine and even though he actually told them that he was not the account holder - I was not contacted.
Naturally we complained. For all the good it did us. At first we were told that no changes had been made to the account (even though we were in the middle of cancelling). Then after a bit more digging (another phone call) we were told that somebody in an offshore call centre had made a change on Sunday but there was no note saying they had spoken to Henry. The call handler promised to call us back (within 20 minutes) and never did. When we rang back and went the same procedure again we were told that we would be called back - again, no call. The third time we called we were put through to a line manager who said there were no notes on the system and she couldn't see how this had happened. She was helpful and promised to look into it and get back to us the following day - I asked her for a direct phone line/email address and rather than give us a company email she gave me her personal one!
I then decided to phone the executive complaints office who told me they would look into it but that in their opinion it was my fault because I had allowed Henry to ring and for him to have sensitive information regarding the account..
This sensitive information he had access to? Oh, because he didn't know the account password they asked him the following security questions;
What is the account holder's name (mine) my address (remarkably exactly the same as his because he lives here) and my date of birth (which he knew and the call handler confirmed to him after he said 'I think that's right isn't it') and how I paid the bill which he couldn't answer because as he told them it wasn't his account.
According to Everything Everywhere's executive complaints team this is all OK and above board (even though it directly contravenes the Data Protection Act) because they have internal policies stating that if the call handler is satisfied the person on the phone knows the account holder it is OK to make certain changes to the account.
The information Commissioner's Office think differently of course and we are now in the process of starting an official complaint.
I've mailed the SEO Olaf Swantee directly to ask his opinion. Not surprisingly this has also gone unanswered.
So, if you have an account with Orange or Everything Everywhere it may be worth checking just how secure your data is.
Not at all would seem to be the answer.
At the weekend my 16 year old step-son rang up Orange (to ask a question and see if he could transfer his old number on my account to his new sim to his Dad's Orange account) and without knowing the password to either account or being able to answer the security questions properly he was allowed access and was able to transfer the sim from the other account to mine!
He is not named on the account anywhere, he has a different surname to mine and even though he actually told them that he was not the account holder - I was not contacted.
Naturally we complained. For all the good it did us. At first we were told that no changes had been made to the account (even though we were in the middle of cancelling). Then after a bit more digging (another phone call) we were told that somebody in an offshore call centre had made a change on Sunday but there was no note saying they had spoken to Henry. The call handler promised to call us back (within 20 minutes) and never did. When we rang back and went the same procedure again we were told that we would be called back - again, no call. The third time we called we were put through to a line manager who said there were no notes on the system and she couldn't see how this had happened. She was helpful and promised to look into it and get back to us the following day - I asked her for a direct phone line/email address and rather than give us a company email she gave me her personal one!
I then decided to phone the executive complaints office who told me they would look into it but that in their opinion it was my fault because I had allowed Henry to ring and for him to have sensitive information regarding the account..
This sensitive information he had access to? Oh, because he didn't know the account password they asked him the following security questions;
What is the account holder's name (mine) my address (remarkably exactly the same as his because he lives here) and my date of birth (which he knew and the call handler confirmed to him after he said 'I think that's right isn't it') and how I paid the bill which he couldn't answer because as he told them it wasn't his account.
According to Everything Everywhere's executive complaints team this is all OK and above board (even though it directly contravenes the Data Protection Act) because they have internal policies stating that if the call handler is satisfied the person on the phone knows the account holder it is OK to make certain changes to the account.
The information Commissioner's Office think differently of course and we are now in the process of starting an official complaint.
I've mailed the SEO Olaf Swantee directly to ask his opinion. Not surprisingly this has also gone unanswered.
So, if you have an account with Orange or Everything Everywhere it may be worth checking just how secure your data is.
0
Comments
-
So your step son also breached your data? He would have had to go through the IVR entering your details too.
So your step son is at fault too0 -
EE have the most terrible customer services, they love to keep you waiting and often hang up on you.
I would never recommend EE to anyone.
EE = Bad to the bone.0 -
I was with T-mobile and they were useless. The account was in my husbands name with me having permission to do everything on it. When I tried to complain about an issue I was having, I was suddenly told they couldn't deal with me as it wasn't my name on the account (despite them having been dealing with me for months previously).
I also had to call 16 times once until I got through to somebody who could do what I was asking (the relatively simple task of removing an add-on!). Then, the add ons I did have weren't working properly and I was being charged for the add-on and also being charged for minutes that should have been free as part of the add on which then meant I went over my credit limit and was cut off!
Total shambles, constantly.
Finally went to cancel, and I was told I couldn't as my husband had to do it. I explained I was set up to run the account but no, hubby had to do it. I phoned back and, without changing my voice, claimed to be him. PAC code sent straight away. It couldn't have been clearer that I wasn't my husband, but as long as I said I was that's all they cared about.0 -
So your step son also breached your data? He would have had to go through the IVR entering your details too.
So your step son is at fault too
I'm fairly sure the OP will be aware of that. However I doubt the step son is covered by the data protection act, nor is it particularly useful for the OP to post a warning about their step son. On the other hand it is worthwhile their posting about poor security at a well known company with many customers.0 -
Not sure that the Data Protection Act has anything to do with this - the only data disclosed was by the step-son to the company; them disclosing that the data he gave was correct would not be covered. There are certainly grounds for complaint on the basis of lax security in not insisting that proper permission was given by the account holder for the changes..According to Everything Everywhere's executive complaints team this is all OK and above board (even though it directly contravenes the Data Protection Act)loose does not rhyme with choose but lose does and is the word you meant to write.0 -
Write a letter of complaint.Declutterbug-in-progress.⭐️⭐️⭐️ ⭐️⭐️0
-
So your step son also breached your data? He would have had to go through the IVR entering your details too.
So your step son is at fault too
my step son did not intentionally breach my data.
He was using a phone that was on my account, we have had this arrangement for a couple of years because at the time it was much cheaper than him having a PAYG phone.
He had planned to switch from Orange to another supplier and as the account holder I had requested a pac code for that phone. Orange being Orange would not send the pac code to another phone on the same account so they sent it to Henry's phone. I told him to keep hold of it as we would need it when he switched companies
His father set up another contract for him on Orange with a new number. Without my knowledge Henry decided to phone Orange and ask them if he could swap his number from one account to the other - they can't actually do this and had he phoned me first I would have told him but just like most 16 year old boys he knows everything and set off on his own path.
This is where it becomes truly ludicrous.
He dialled 150 on the phone and after navigating through the menus he was asked for a password. He didn't know my password so he used his old PAYG password which naturally failed but he was put through to a call handler. He explained to this person that he was not the account holder, gave them his name and said that he was my step-son. This is when the call should have been ended. The call handler was obviously not talking to the account holder as he had told her his name.
The call handler asked him if he knew the account holder's name. Of course he did - I'm his step dad and have been for the last 12 years.
She asked him my address - which of course is his address.
Then she asked my date of birth - he knows that, it's no secret but he wasn't entirely sure so after he gave her the date he said 'I think that's it'. The call handler confirmed he was correct (this according to several people I have spoken to is a clear breach of the data protection act).
As a final security question she asked him how I paid the bill. His reply 'I don't know, I'm not the account holder, maybe by credit card or something' the call handler told him that was incorrect (yet another DPA breach) but still decided to let him make changes to the account.
If you can explain to me how he is in any way responsible for this breach I would love to hear your explanation
0 -
Not sure that the Data Protection Act has anything to do with this - the only data disclosed was by the step-son to the company; them disclosing that the data he gave was correct would not be covered. There are certainly grounds for complaint on the basis of lax security in not insisting that proper permission was given by the account holder for the changes..
according to several experienced call handlers/call centre supervisors I have sopken to the moment the call handler confirms that the answer to a security question is either correct or incorrect they are in breach of the DPA to disclose this information to a third party (no matter who they are) is in most companies a sackable offence as it is 100% against the law0 -
ThumbRemote wrote: »I'm fairly sure the OP will be aware of that. However I doubt the step son is covered by the data protection act, nor is it particularly useful for the OP to post a warning about their step son. On the other hand it is worthwhile their posting about poor security at a well known company with many customers.
Thanks.
It is highly unlikely that Henry will attempt to gain access to any of your accounts but it is highly likely that the lack of concern for your data may well one day effect you.
To be told that the company has internal policies that allow this is beyond belief.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.1K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards