When human errors put PII at risk…

I’ve been having a bit of a bizarre experience for the last couple of months, and decided to share…it’s bothering me a bit.

Back on September 10th, a lady – let’s call her Jane Doe – applied for a life insurance policy with specific funeral benefits. Only…Jane accidentally gave the company one of my personal email addresses by mistake.

That afternoon, the information started rolling in. I marked the first email as spam. But then they just kept coming – and one of them came with Jane’s complete insurance application. I had an extensive amount of PII for Jane at my fingertips.

So, I called the company. They weren’t sure what to do with this information. I received emails from the insurance agent, and the underwriter. I’ve emailed the company, and both of these individuals as well. I received a note that said – My bad – from the insurance agent.

(Please note – do not let your sales people answer notes in that manner.)

But that hasn’t stopped the flood. As of today, November 8th, I’ve received over a dozen emails, half of them containing PII. The latest email from earlier today advised me on the credit card used for the policy, the last 4 digits, and the payment status of the account.

Last week, Jane applied for a personal loan – the same mistake was made. I’m going back down the same path with a financial organization…and making NO headway.

Jane’s information is safe with me. I’m not going to do anything nefarious with it. But I’m totally baffled that I’ve made half a dozen phone calls, and sent over a dozen emails…and nothing has fixed this. At what point is the onus on the business to get ahold of Jane, and get correct info?

And that makes me wonder about the people that I do business with – could they correct this mistake? We’re going on two months now for poor Jane.

My point? This story may be worth an eye roll. But, as I said, I’m baffled. The companies in question seem to have policies and procedures in place if I was Jane, and I was NOT getting the information they were sending. There don’t seem to be any procedures in place for my situation – where the information is going to the incorrect person, and that person contacts you. I cannot verify Jane’s info for them – well, I could if I felt like keeping her PII – and I can’t give them the correct email address.

Take a look at your organization. Talk to your call center staff, your sales people, and others who may be in that position – what would THEY do if I called them, and said I was getting Jane’s emails.

At best, you’ve conducted a mini incident response exercise. At worst, you may find a hole in your processes and procedures.

Update January 2019: After spending most of November and part of December on this, the legitimate emails have mostly stopped. Jane is now getting quite a quantity of spam from less than optimal looking financial service organizations, as she applied for a number of different loans. But the original loan purveyor has stopped emailing me, as has the insurance provider.

John Doe and his wife are traveling to Munich next week, and made a similar error – so far, one contact with the airline has stopped that correspondence.

Update March 2019: Here we go again. Jane is applying for loans again. While my mailbox has received 17 missives of various quality over the last 48 hours…at least I don’t have PII this time? How would you tackle this one? (Make that 19. In the time it took me to write this quick update, two more came in.)

How does your business handle this? I’d love to hear from you, because now I’m really curious – lwallace@microsolved.com, or @TheTokenFemale on Twitter!

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

This entry was posted in Awareness, General InfoSec by Lisa Wallace. Bookmark the permalink.

About Lisa Wallace

Lisa Wallace joined MSI in 2015 as a security focal and project manager, and became Technical Director in 2017. She is involved in internal and external penetration testing application assessments digital forensics threat intelligence incident response eDiscovery efforts She is responsible for scoping our efforts across all workstreams, as well as project and staff coordination and management. She has worked in a variety of fields, including utilities, financial services, telecommunications, and consulting in a number of ancillary industries.