UPDATE 15.12.14: I think the comments on this piece take it further, and I do accept (as I did at the time, in fact) that the “password” in question was not likely to relate to customers’ accounts.
I got into a rather odd exchange over the weekend with the people running the Virgin Media twitter account. It began when, as is my wont, I was searching for tweets about “data protection” and noticed an exchange in which someone had asked Virgin Media whether their sales people rang customers and asked them to give their passwords. Virgin Media kindly appeared to confirm they did, and that
it’s for security as we can’t make any changes without data protection being passed
I asked for clarification, and this exchange ensued
[ME] Is it true your sales people call customers and ask for their account passwords? If so, are these unsolicited calls?
[VM] Yes this is true, our sales team would call and before entering your account, would need you to pass account security. I understand for your own security purposes why you wouldn’t feel great doing this, i’d be the same. If you give us a call on 150/03454541111 we can get this cleared up. Let me know how you get on
[ME] Thanks. Not a customer. Just interested in what seems like questionable practice being defended under guise of data protection
[VM] We contact our customers if there upgrade is due, or for a heath check on accounts, and a few other instances, but I get where your coming from [sic]
There’s nothing unlawful about this practice, and I assume that the accounts in question are service and not financial ones, but it doesn’t accord with normal industry practice. Moreover, one is warned often enough about the risks of phishing calls asking for account passwords. If a legitimate company requires or encourages its sales staff to do this, it adds to a culture of unnecessary risk. There are better ways of verifying identity, as their social media person seems to accept, when they say “I understand for your own security purposes why you wouldn’t feel great doing this, i’d be the same”.
One thing I’m certain about, though, is that isn’t any part of “passing data protection” (unless they mean bypassing) to make outbound calls and ask for customer passwords.
On a final note, and in admiration of bare-faced cheek, I highlight the end of my exchange with Virgin Media
If you want, as your not a customer, you can check out our brill offers here [removed] maybe we could save you a few pounds?
That’s an offer I most certainly can refuse.
(By the way, as it’s an official Virgin Media account, I’ve taken what I was told on Twitter at face value. If I have misunderstood any of their policies on this I’d be happy to correct).
Virgin Media’s Twitter account appears to have confirmed to me a) that they do ask for customers’ passwords on outbound sales calls, and b) that they see nothing wrong with it. And rather hilariously, they say that “we can discuss further” if I will “pop a few details” on their web form for social media enquiries. No thanks.