Sunday, 3 May 2009

Abuse and Unauthorised Sale of Customer Databases

Source - THE STAR ONLINE
WebLink - http://thestar.com.my/news/story.asp?file=/2009/5/3/focus/3818877&sec=focus
Date - Sunday, 3.5.2009


Beware, your data’s on sale
Stories by JOSEPH LOH and RASHVINJEET S. BEDI

Malaysians are used to receiving unsolicited phone calls, text messages or e-mails offering services or products for sale. One reason for this is the abuse and unauthorised sale of customer databases.

IT was an innocuous looking advertisement in a local daily but it offered a specialised service much sought after by those in need of data of prospective clients.

What was on sale through the ad was a databank of more than one million “updated handphone and e-mail listings”, going at a fee of 1,000 names for RM100.

Sunday Star managed to acquire a list of 1,000 contacts for veracity of the claim and all it took was a phone call to one of the two names posted in the ad.

This list contains the client’s name, area of residence, handphone number, type of credit card (classic, gold or platinum) and the bank which issued it and, in some cases, even the place of work.

The seller claims he has one million contacts in total, and for certain entries, he has the identity card numbers, position in the company and birthdays. If requested, the database can be tailored to the buyers’ needs.

When asked how he got the contact numbers, he claims he got it from some local banks but did not specify how he obtained them.

Other sources of the data include telecommunication companies (telcos), and some unspecified membership lists.

A check on the Internet revealed several companies offering the same data-for-sale service.

Worryingly apathetic

Sunday Star made calls to several people on the list to verify its authenticity and also to gauge their level of concern about the matter.

Tan* says it is upsetting to know his details are being bandied about.

“I assume that the banks gave out my number. But what can they (database collectors) do with just your number?” says Tan, who adds that he often gets messages promoting spas and holidays.

Wong* says he is not in the least bit surprised. “Everyone has received calls from unknown people trying to sell them something. You’re not telling me anything new, and this has been going on for years and years.”

Rajesh*, on the other hand, was completely indifferent to the fact. “So what if you have my contact number? It is just a nuisance, and I can just hang up the phone.”

A few did voice some concern.

Seng Leong* was aghast that the entry on him disclosed his place of work and type of credit card was being sold.

“You mean you only paid RM100 for the list? How could you possibly know all those details? This is supposed to be between me and the bank, and you should not know all that,” he says, and worries if more of his particulars are in another database for sale.

Likewise, Jacky* is concerned, but asks, “What can they actually do with the data? I suppose it can potentially be used as the basis for identity theft,” she says, adding that the Government should address the issue immediately.

Data easily available

Businessman Ganesh* admits to purchasing the database of members to an exclusive club. As it was considered high-end data, he paid RM3 for every entry.

“All these names had Tan Sri and Datuk honoraries. Many in the list were public figures,” he says, adding that he bought the data from someone within the company. “The best way to get it is through the administration or human resource staff.”

He explains that complete data would be those with full names, addresses and two phone numbers. According to Ganesh, this kind of information will always be in the hands of telemarketers.

“They operate on a project to project basis. It would be hard to detect them. There is a machine where you can export the database and send messages by batches,” he says.

Ganesh says he was in turn able to re-sell the data for RM4 each. “There will always be someone who will buy this kind of information.”

The chief executive of the National Con­sumer Complaints (NCCC) Centre Muhammad Shaani Abdullah was shocked when told that Sunday Star managed to purchase the list of names.

“This is the first time I am hearing of such a thing. I wonder what the authorities are doing about it. If someone makes a higher offer, what is there to prevent other vital information such as credit card numbers from being obtained?” he says.

Jelutong MP Jeff Ooi believes his own data was leaked and he himself was offered databases in the run-up to the 2008 General Election.

Ooi says the databases from credit card companies could be useful to businesses as they could indicate purchasing patterns of a particular person. He says that housing developers who sold high-end products could make cold calls to these individuals.

“Even if they get a response of 5% to 7%, it is considered to be a good return,” he says.

Of his personal experience, Ooi claims that a bank leaked out his details.

“I used a particular name and address for a certain credit card. Suddenly, I got six different invitations (to this name) to subscribe to different magazines,” says Ooi, who subsequently discontinued his service with the bank.

He stresses the need for legislation on private data protection. “Before, everything was on paper but now, everything is stored on servers. This data can be transmitted in a matter of seconds,” he says.

Building databases

Sometimes an individual gives his details away willingly or unwittingly when filling up contest forms or promotional material. A Maxis spokesperson advises all mobile users to be cautious about revealing their mobile numbers.

“Where possible, customers should always opt not to reveal their mobile phone numbers and other personal information like identity card numbers and addresses.

“If a company makes it mandatory for you to submit your mobile number, that company should also give you a clear option to state that you do not want your number or any other contact details to be used by any party to market their services to you,” he says.

According to Suresh*, who works in a marketing communications company, there are many ways to obtain customer databases. Sometimes, it is exceedingly easy to get.

“We can walk up to individuals and offer them a free sample, and all they have to do is fill in a form. There are many who will sign up,” he says, adding that there is no telling where the collected information ends up.

Other accessible sources are the phone book, trade directories and the Internet.

“A trade directory will contain the name of the person-in-charge and that person would be a good sales prospect. Via the Net, you can go to a large company’s website and get a list of the top people there. There is a lot of information available in the public domain,” he says, but admits that there are questionable ways of obtaining it, even from companies that are supposed to keep data confidential.

“It can come from an individual who keys in the details – most of the time, that is the only way to get the info,” he says,

However, Suresh stresses that as a matter of principle, his company adheres to a code of conduct of sorts, and does not purchase “illegal” databases.

“If we want to use a telco’s database, we approach the company and pay them to send out text messages or to include a brochure with their monthly bills. Who they send it to is not known to us,” he says.

Internal security

Banks regard the leaking of information as a very serious offence. Those caught for this offence could be subjected to the charge or punishment as determined under Section 97 of the Banking and Financial Institutions Act 1989 (Bafia).

“All our staff and approved outsourcing agents are required to execute a confidentiality undertaking that they are not to disclose any customer information, as clearly bound by the staff handbook and agency agreement, as well as adherence to the provision of secrecy under Section 97 of Bafia,” says Public Bank chief operating officer Wong Jee Seng.

A Hong Leong Bank statement says it has established controls and security systems to ensure that customer information is kept confidential at all times.

“Prior customer written consent is required for any exception to this obligation. The bank does not condone the practice of selling customer information to third parties,” it says.

Chuah Mei Lin, the Association of Banks in Malaysia (ABM) executive director, says: “ABM affirms that its member banks treat customer information with the greatest of confidentiality and will not ‘sell’ information or use the same indiscriminately outside the confines of the banker-customer relationship,” she says.

She adds that there are well-established laws and regulations as well as internal policies on confidentiality and information security which banks strictly abide by.

Chuah also says banks will not hesitate to take relevant disciplinary action and report employees who breach such laws, regulations and policies.

However, there are instances where the banks or companies within its group will send out promotional materials.

“Customers will be informed by companies within a bank’s group soliciting for business on the basis of the bank’s database, such as insurance or unit trust companies, that the solicitation is made on behalf of the bank.

“Members of the public are encouraged to contact the Association via its ABMConnect in respect of any suspected breach of confidentiality on the part of its member banks,” Chuah says.

Telcos are not allowed to give out personal data of their clients to any third party in accordance with the General Code of Practice for the Commission and Multimedia Industry Malaysia and provisions of Communications and Multimedia Act 1998.

Exceptions to the rule are authorised requests from law enforcement agencies such as the police, the courts and also the Malay­sian Communication and Multimedia Com­mission (SKMM).

A Maxis spokesperson says the company has extensive control measures and procedures that include very controlled and restricted access to customer information.

“All Maxis employees are cognizant of the severe consequences of breaching the company’s strict rules about keeping our customers’ information confidential,” says the spokesperson.

Similarly, Celcom says it adheres to its Protection of Consumer Information Policy (PCIP) to safeguard its customers’ personal data.

“In the event of any leakage of customers’ information, a thorough investigation will be conducted when an official complaint is made. We will not hesitate to initiate legal action if we uncover evidence of such wrongdoings,” says its CEO Datuk Seri Shazalli Ramly.

* Names have been changed.

> ABMConnect (Tel: 1-300-88-9980)

No comments:

Post a Comment