Rights.comIndividual rights and today’s issues.

Smith Barney, Intuit Payroll, and Amex update

Smith Barney sent a welcome message to Harold Bxxxxx, welcoming Harold B to Smith Barney online and another for account number ###-##099 being enrolled in E-Delivery with the last 3 SSN ending in 040.  Smith Barney, like others, links to their privacy policy, and does a wonderful job following it.  They do give an 800 number (800-221-3636) to call, but no link or email address to notify them.

Next we have Intuit QB Basic Payroll sending order # SBL36468501 for 243.89 to me for Grant Kxxxxx in Boca Raton, Florida with no reply address and no way to notify them that they are sending information to someone else.

An update on the American Express “Settlement and Payment Advice Report for SE No: 9740108691.”  American Express is still sending them.  While asking to be notified by email, but messages to their notification email address still bounce.

How about companies adopt a standard link at the end of their emails to notify them to review the address?

Best Buy sends credit card info!

Following in the footsteps of others, Best Buy and HSBC Bank send private information without a method of notifying them of their mistake.  They obviously do not bother to verify email addresses.   So, Tom H***** is getting information from Best Buy about his account ending in 8954 sent to us.

The kicker is that Best Buy and HSBC included the statement that  ”We maintain strict security standards and procedures to prevent unauthorized access to information about you.”  I guess that is, unless of course HSBC and Best Buy send it to the wrong email address they do not bother to verify them.

After speaking with a supervisor, they intended to “try to find the account number” and delete it, but apparently there is no method for them to look up an account number by email address, name or last four digits.

Continental Sends someone else’s Flight check-in information

And yet another example for poor privacy practices by Continental Airlines sending me flight check-in information for “Annmrs Zgonena”.  Now it seems a bit strange that someone would be using an email address that does not belong to them to book a flight and the airlines wouldn’t know it.  But it is also amazing the amount of information they share including the confirmation number, complete itinerary and the food selection with a complete stranger.

To make matters worse, Continental provides no method to notify them that someone is not using their own email address to book a flight.

HomeDepot and private information

As a follow-up, HomeDepot is yet another company that plays fast and lose with your privacy.  Check the email out below.

Now in this same email, the Subject says “DO NOT REPLY.”  In the text HomeDepot says “This is an unmonitored mailbox; please do not reply directly to this e-mail.”  Then a few sentences further, it says “if this message has been sent to you in error, please immediately alert the sender by reply e-mail.”  The do include a link to their privacy policy (http://www.homedepot.com/privacy).  Fortunately OUR terms of service that apply to email sent to us, is that we may quote it here. Otherwise, emailing us is strictly forbidden.

HomeDepot should be including a link to report problems that are either fraud or honest errors.  Likewise, HomeDepot should take the time to proofread their emails in order to ensure that they make sense.

—————————————–

Fri, Nov 13, 2009 at 9:54 AM
subject DO NOT REPLY: The Home Depot Home Services Appointment Details [47638xx]
Dear: Paul Jxxxxxx,
Thank you for submitting your information with The Home Depot’s Installation Services:

Home Insulation

Our representatives will contact you within 24 to 48 hours.
…
This is an unmonitored mailbox; please do not reply directly to this e-mail.
…
If you are not the intended recipient of this message, or if this message has been sent to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments.

Corporations that play fast and loose with individuals private information

In a recent investigation Rights.com has discovered many large companies who should be protecting your privacy are not doing so.  Companies that are large enough to have good privacy policies either are ignoring them or not doing a good enough job in doing so.  Ironically, most of the companies include links to their privacy policies that include the terms that they will share personal information with 3rd parties.

First up on our list of companies that do not verify where they are sending your private information is BMW Financial Services disclosed Sandra A’s name (last name included in the email but not included here to protect her privacy), her presumed nickname – Sandy-, and the BMW car she has 2006, 325xi.  BMW attempted to look up the account by email and said they would attempt to remove it [Update: a week later they were still sending us email].  Most people would not have called them though in order to correct their error.  The email also included the line “we diligently safeguard your privacy” with a link to their privacy policy (http://www.bmwusa.com/About/privacy.htm?panelid=3), none of which did BMW follow by sending us Ms. A’s personal information.  BMW provided no method to let them know that they had made a mistake, and in fact made it extremely difficult to speak with a human in order to even get a comment requesting account numbers or social security number repeatedly.

AT&T Wireless was even worse.  The first woman I spoke too transferred me to a different department where I was rudely told I “didn’t understand the Internet” and that the fact that they were sending me information about Crystal R’s account meant that my own email account had been stolen and that I had to talk to my ISP about how to remedy the problem.  AT&T could not believe that they had entered an email address in error and would not even pull up the account to remove the email address – AT&T had helpfully sent me the phone number. Of course, it had NOTHING to do with the fact that it turned out that her email account was the same as mine except with an “i” at the end which AT&T had neglected to enter.  I called the person to let them know that AT&T was sending me her account information and she and I figured out the problem while on hold with AT&T.  It is funny that after calling back 3 more times I finally spoke with someone who understood the problem and decided to actually call the account holder and fix the email address in the AT&T Wireless computer system.  AT&T should train its employees better to be more polite, and to be receptive to good Samaritans who are try to report a problem to AT&T.  Likewise, AT&T Wireless also has been sending me updates for MORDECAI ALPERT about his A-List Feature or Call-list.

Disney Destinations has sent several emails including confirmation numbers for reservations, full details of the people making the reservation – name, address, balance due – where they were staying and the dates.  But not way to notify Disney of the error.  For example, Ms. Jackie G. from West Palm Beach is going to stay at Disney’s Boardwalk Inn in December.  Kris P is going to be there the same day, perhaps they know each other.

AmericanExpress sent us a “Settlement and Payment Advice Report” for “SE No: 9740108691.”  With all kinds of merchant details and transactions.  They ask you to reply immediately if you “receive this message in error.”  That is the right idea, but the email address gives the message that “Delivery to the following recipients failed.”  So, while AmericanExpress did try, they didn’t succeed.

Verizon  sent us information about the account number ending in 1772-00001 that “[t]he current balance due is $270.55.You can conveniently view your bill statement.”  Verizon provides a link that states “If you are not the intended recipient and feel you have received this email in error, please click here to notify us.”  However, the link takes you to the generic Verizon Wireless website with no link to contact about email addresses that are incorrect.  Verizon seems to have the right idea, but a poor implementation.  Verizon also has a link to their privacy policy, which doesn’t seem to be being followed.  Beth at Verizon said that Verizon does not verify the email addresses and it is up to the customer to do so.

1800Flowers has sent several emails.  For example, one on November 10th, with a delivery for Edwina L. in North Fort Myers, FL from (presumably) her son, Kevin H.and Dana H. in Geneva IL saying “Thank you for being such a wonderful Mother, Love, Dana”.  The email lists the last four digits of the American Express card, the full addresses of both people, order number etc.

Walmart sent us email for JB Hughes with the last 4 digits of his Visa card (aka Walmart MoneyCard) and the balance remaining.  Walmart’s email is “an unmonitored email box” with no way to notify them of the error by phone or email.  They ironically provide a link to their privacy policy. (See here.)

GE Consumer and Industrial Appliance Parts was even kind enough to send me their eNewsletter with the tag “CONFIDENTIAL — DO NOT DISTRIBUTE OR PUBLISH TO THIRD PARTY.”  And no link to let them know that GE itself is “publish[ing] to a third party.”

The worst of the bunch though is Hilton Hotels.  After receiving 3 emails from various Hilton Hotels in the last 2 days, none with a link to report their error, I called Hilton to get a comment.  For example, Stephen B will be at the Hilton Garden Inn, Cleveland Downtown Nov 14-15.  Hilton Hotels was happy to send his confirmation number and more, but no link to let them know they’d made a mistake.  Amauri A will be at the Hilton, Chicago O’Hare Airport 11/30-12/1 2009.  No link to let them know of the error, but links to “modify or cancel your reservation.”  George U stated at the Hilton Garden Inn Pittsburgh/Southpoint 11/5-116 and earned 119 miles for it.  The General Manager of the hotel, Paul Bazzano signed the email, but didn’t provide details on correcting their error.  The kicker is this: The email states “Please do not reply to this email. Mail sent to this address cannot be answered” but then states “If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete this message.” Hilton, which one is it?  Reply or not?  After replying to the email and receiving no answer after several days, it appears they will not be doing so.

So I decided call Hilton at 877-444-9847. After being on hold for 20 minutes I finally spoke with Bryan Simmons who asked me to forward the email to them so they could investigate.  No reasonable person is going to try to attempt to correct Hilton Hotel’s errors for that long, but I was hoping to be able to speak with someone there and did so.  Perhaps Hilton will correct the issues in the future.

Then we have Beacon Medical Services for Longs Peak ER Physicians that notified us that Jody J. M.’s payment was declined on her Mastercard ending in XXXX for $55.00 with 1990534xx as the account number.  After speaking with them, they say they do not email people, so someone must’ve been pretending to be them and spamming with that information. True?  Perhaps.

Vonage is yet another company that has difficulty protecting individuals private information.  Vonage has been sending me the visual voicemails, with voice-message.wav attached for a Willie T. at 706-955-11xx.  They provide no means of notifying them of problem and are sharing private voicemails with someone who is not their customer.  Calling their toll-free number (which should NOT be required) connects you with someone who is not a native English speaker and who (both times I called) had difficulty in understanding how they could be sending me someone else’s voice mails.

Sprint (sprint.com) continues the trend with no way to notify them, and no way to remove yourself.  Sprint has been sending us Gary S’s PIN and security answer with only a part of the account number blocked.  So, there is absolutely no way to notify them that they are sending the information to us.  Amazingly poor privacy protection.

Few of the companies provide the means to correct their mistakes.  Someone who was attempting to steal and identity or commit fraud could use this information to further their cause.  Likewise, any burglar would love to know when a person is going to be out of town in Pittsburgh or Orlando.

Some suggested requirements for companies who send private information to their customers.

(a) Require users to enter email addresses twice.  Require employees to enter email twice and read the email address back to the user.

(b) Verify email addresses prior to sending.  This does not mean just a link to click on, but a code sent via regular mail or text message that is then entered after clicking a link in the email.

(c) Provide a method to report an incorrect address.  Just a link that says “You have the wrong email address, please delete it” would be sufficient.

(d) For confidential email, senders should sign and/or encrypt the email with something like PGP.  Sending confidential information by email is just a bad idea all around.  It is like sending private information by postcard and addressing it to the New York Times.

In short, while the companies above are claiming to protect your privacy a combination of mistakes by either their customers or their representatives are failing to do so.  We’ll be updating this report over time.