Tuesday, April 19, 2005

Spinning Plausible Stories

The 2004 Report of the Data Protection Commissioner (pdf - summary in word format) has a worrying case study:

I received a complaint about Eircom not respecting a Barring Order that had been granted to a wife against her husband. Though she had changed the telephone account details from his name to her name, he had still been able to contact Eircom and had the access codes for voicemail reset so that he could access her voicemail. Furthermore, on closing the account, the final account had been sent to him at his address rather than hers.

Eircom investigated this complaint thoroughly from a data protection perspective. They were not able to establish definitively how the matters complained of arose but accepted that either the estranged husband had the account number himself or perhaps had “spun a plausible story” to Eircom.
Barring orders are granted in circumstances where there is a risk of violence. In this type of situation, disclosing somebody's personal information can threaten their safety or even their life. Yet, despite the fact that "procedures are in place for protecting confidential information and ... staff are aware of the company’s data protection obligations", information is still vulnerable to someone who can "spin a plausible story".

This is familiar territory. The phenomenon is better known as social engineering. It won't come as a surprise to anyone who has glanced at computer security. So why even mention it? Well, if we allow the government to push its data retention agenda then all sorts of personal information (such as details of the websites you visit or the emails you send) will be stored for several years. But don't worry about your privacy. After all,
"procedures are in place for protecting confidential information and ... staff are aware of the company’s data protection obligations".

Unless, of course, someone can spin a plausible story.

No comments:

Post a Comment