UPDATE 15.12.14: I think the comments on this piece take it further, and I do accept (as I did at the time, in fact) that the “password” in question was not likely to relate to customers’ accounts.
END UPDATE.
I got into a rather odd exchange over the weekend with the people running the Virgin Media twitter account. It began when, as is my wont, I was searching for tweets about “data protection” and noticed an exchange in which someone had asked Virgin Media whether their sales people rang customers and asked them to give their passwords. Virgin Media kindly appeared to confirm they did, and that
it’s for security as we can’t make any changes without data protection being passed
I asked for clarification, and this exchange ensued
[ME] Is it true your sales people call customers and ask for their account passwords? If so, are these unsolicited calls?
[VM] Yes this is true, our sales team would call and before entering your account, would need you to pass account security. I understand for your own security purposes why you wouldn’t feel great doing this, i’d be the same. If you give us a call on 150/03454541111 we can get this cleared up. Let me know how you get on
[ME] Thanks. Not a customer. Just interested in what seems like questionable practice being defended under guise of data protection
[VM] We contact our customers if there upgrade is due, or for a heath check on accounts, and a few other instances, but I get where your coming from [sic]
There’s nothing unlawful about this practice, and I assume that the accounts in question are service and not financial ones, but it doesn’t accord with normal industry practice. Moreover, one is warned often enough about the risks of phishing calls asking for account passwords. If a legitimate company requires or encourages its sales staff to do this, it adds to a culture of unnecessary risk. There are better ways of verifying identity, as their social media person seems to accept, when they say “I understand for your own security purposes why you wouldn’t feel great doing this, i’d be the same”.
One thing I’m certain about, though, is that isn’t any part of “passing data protection” (unless they mean bypassing) to make outbound calls and ask for customer passwords.
On a final note, and in admiration of bare-faced cheek, I highlight the end of my exchange with Virgin Media
If you want, as your not a customer, you can check out our brill offers here [removed] maybe we could save you a few pounds?
That’s an offer I most certainly can refuse.
(By the way, as it’s an official Virgin Media account, I’ve taken what I was told on Twitter at face value. If I have misunderstood any of their policies on this I’d be happy to correct).
UPDATE:
Virgin Media’s Twitter account appears to have confirmed to me a) that they do ask for customers’ passwords on outbound sales calls, and b) that they see nothing wrong with it. And rather hilariously, they say that “we can discuss further” if I will “pop a few details” on their web form for social media enquiries. No thanks.
informationrightsandwrongs 
Quite incredible. I have a feeling they might be reviewing their staffing of that Twitter feed too, after that display of ineptitude*. I had this same thing from Vodafone once. They wanted to verify me on an inbound call. I refused. We argued. They eventually confessed it was a sales call. I went ballistic.
*If the Virgin Soc Med management team are reading this (and they will, if they’re doing their job remotely well) you might need a dictionary to help here. It means crapness.
Given Virgin Media’s unconcerned and arrogant reply on twitter to my post, I don’t hold out much hope of much change.
Please do excuse me whilst I lower my ‘defences’ and come in commando in order to post part of my experience..
https://nodpi.org/forum/index.php/topic,6440.msg54941.html#msg54941
I’ll take a basic guess I would have had to take my tin-foil pants off to post this reply and as a result I find you are inviting me to ‘leak’ information elsewhere. No doubt it is all aggregated and anonymised, Chicken & Egg, before your site gives it up to all and sundry for a bit of ‘coin’… No ?
I’ll back off from the ‘rabid’.
My Story..
A couple of years back it would seem that someone managed to ‘phish’ my SKY account, hawk spit but it is not BT.
I noticed that someone had managed to sign up for ‘friend stuff’ on my account using my name appended by a gmail e-mail address.
Being ever so slightly concerned I called SKY to ask about this and indeed it would appear that someone had ‘phished’ *them* over the phone and gained access to my account.
As you suggest if you ‘toss the coin’.. just a moment. Virgin ‘phished’ their customer..
I might blibble on but dangerous curves and EOM.
Keith
The trackers ghostery is picking up seem to be ones that anyone running a theme-based wordpress site will host. I’m an amateur, with no money to host my own site. I do the best I can, as do my peers, who mostly seem to have similar trackers on their wordpress sites. Any advice though would be gratefully received.
I agree the Twitter response was poor, but isn’t this just a sensible way of ensuring the outbound callers are talking to the account holder? Isn’t the alternative simply to ask the caller to confirm their name/address etc (exactly what your first commentator takes offence to)? So whatever the best practice, isn’t this their way of ensuring they are speaking to the account holder and thus ‘passing’ data protection rules?
I note your link to the “normal industry practice” that you alleged they were conflicting didn’t give any advice about passwords on accounts, but it did state “Never divulge private information data in response to an email, text, letter or phone call unless you are certain that the request is from a bona fide source”. It seems slightly inaccurate to suggest they are acting against industry practice – but how would you advise outbound service calls ensure they are talking to the account holder?
Wouldn’t most people find it easier to fraudulently answer security questions like name/address/dob etc than a specific password? In which case, isn’t this a broadly reasonable approach?
Isn’t one possibility to ask for say the second and fifth character from the password?
Quite.
The link to “normal industry practice” was wrong. I’ve corrected it now, to a page which states “Never disclose your passwords to anyone else”.
Passwords are (should be) private and only known to you. Your name/address etc are not the same, although they are clearly personal information. Paul (first commenter) I suspect takes exception, as do I, to any unsolicited sales call which asks the recipient to verify themselves. I similarly take exception, but that’s a broader point.
Pingback: I DON’T KNOW WHAT I’M DOING | informationrightsandwrongs
Hi, sorry I’m late to this but I came across it whilst searching something else unrelated and found it interesting.
First, I am a virginmedia customer, nothing more than that and trust me I could have plenty of complaints about them, especially about the appalling loss of quality in customer service since it has been outsourced overseas but that’s another story.
In this regard though I shall have to defend them. As a non-customer I think you have misunderstood the purpose of this password and that’s understandable.
This is not the password that you might use to access your account online or to access your emails. This is a password that you mutually set up when opening the account and is there for the purpose of protecting your account from unauthorised use. It can’t be data sensitive as it is a mutually agreed access code. It does not give the customer service rep access to your account, they have that immediately that you phone them from your telephone number. This is used to identify you as the owner of the account or agent so as to prevent anyone who might know your name and address ordering services or making malicious changes without permission as you could reasonably expect a stranger not to know the password.
Giving the password satisfies the rep that you are authorised to make changes to the account. My mother is also a customer but being elderly she prefers me to do her dealings with Virgin, as I am clearly not the lady named on the account I also have a password with Virgin for her account which I give when prompted and this tells them that I am the son, named as agent.
It’s really nothing more than that, a safeword, or numbers, whatever you choose. It has nothing to do with access to sensitive data on your account. They also ask for a number of other related info from the account such as dates of birth, postcodes, house number etc but all of this can be in the public domain.
Clearly the Virgin Media representative on the twitter account at that time ( there are many on throughout the day in shifts, I know this having had to deal with them often regarding my many other complaints ) could have been much more helpful in explaining this.
Thanks Craig – I recall others pointing this out to me. I think you’re correct, and I’ll post an addendum shortly. I do think if they are going to use this form of authentication it might be better to avoid the use of the word “password”, but maybe I’m just being picky.
My gripe isn’t so much with them asking for the password when I call them, as I have called the 150 number so I know it’s a secure line, but when they call me asking for the password. When I pointed out that I have no way to verify that they are who they say they are, the agent from India offered to give me his staff ID, to which I responded “and how is your staff ID of any use to me? how does that help me verify that you are Virgin calling?” Obviously we do not have any way of verifying without hanging up and calling back. I did put in an official complaint about this practice with Virgin Mobile, as I am a customer of Mobile and Media and they use the same practice in both areas. The response I received from the Complaints Resolution Team was that the policy would not and could not be changed about asking for the full password on outbound calls, and their only advice they could give me was to take my business elsewhere.