After numerous calls over the last few months, including several emails to privacy@att.com and assurances from them that they do protect client privacy, AT&T sent us Mordecai Alpert’s payment information from today.  AT&T has still refused to answer questions regarding how little they are doing to protect Mordecai Alpert’s privacy.

Hello MORDECAI ALPERT:

Please contact AT&T Wireless regarding account number 523024065xxx at 1-800-947-5096. Thank You.

——————————-

Your Wireless Bill is Ready Online

Hello MORDECAI ALPERT,

Your monthly wireless bill (for account 523024065xxx ) is now available for review online.

Log in today to view your bill and make a payment.

Thank You,

AT&T

Your Wireless Bill is Ready Online

Hello MORDECAI ALPERT,
Your monthly wireless bill (for account 523024065xxx ) is now available for review online.Log in today to view your bill and make a payment.
Thank You,AT&T

—————–Update, January 11, 2010:

Thank You

Hello MORDECAI ALPERT,

Your payment has been received and will be applied to your wireless account.

• Amount: 142.49
• Date: 01/11/2010
• Confirmation number: QPCODT613957xxx

We appreciate your business.

Thank you,
AT&T

This e-mail was auto generated. Please do not respond.

Privacy Policy | Terms of Use

©2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Humorously enough BarclayCardus.com has this message on it today:

“At Barclaycard, we never stop envisioning new ways to help our partners cultivate customer loyalty.”

We don’t suppose that includes protecting AirTran’s customers privacy.

This is the email they sent:

Dear BURTON,

Welcome! You’ve been approved for the AirTran Airways A+ Visa Signature card, brought to you by Barclays.

Use your AirTran Airways A+ Visa Signature card to earn points* toward travel on AirTran Airways. Earn one AirTran Credit for every 1,000 points. Soon you’ll be flying for free by earning:

Bonus Credits when you use your card**
Points toward travel with every purchase you make
Double points on your AirTran Airways travel purchases
In the next few days, we’ll be sending you everything you need to start using your AirTran Airways A+ Visa Signature card. In the meantime, please register online at www.BarclaycardUS.com. Once you’ve set up your username and password, simply log in to:

View your account balance and transaction summary
Check the status of any balance transfer(s) you may have requested or submit a new balance transfer after you have received and activated your card
If you have any questions regarding your AirTran Airways A+ Visa Signature card, please visit www.BarclaycardUS.com to send us a secure email. Or, visit www.airtran.com to purchase tickets, redeem Credits or sign-up to receive AirTran Airways Net Escapes airfare offers via email.

Thanks for choosing the AirTran Airways A+ Visa Signature card.
Chris Reitnour
Director, Marketing
Barclays

You received this email because you have been approved for the AirTran Airways A+ Visa Signature card.

We’re happy to send you occasional emails about Barclays features and benefits, but if you’d prefer not to receive them, please login to www.BarclaycardUS.com and select ALERTS/PROFILE. From the PROFILE screen you can update your PRIVACY OPTIONS. You will continue to receive any Account Alerts that have been set up and any email updates about your account.

* The AirTran Airways A+ Visa Signature card program is sponsored by AirTran Airways.
** Points will be credited to your account at the close of your first billing cycle after use of the AirTran Airways A+ Visa Signature account. Your annual fee must be paid and your account must be in good standing in order to earn points.

Please Do Not Reply to this Email
This is a notification-only email that cannot accept incoming replies. To send us an email, simply log in to www.BarclaycardUS.com, click on CUSTOMER SERVICE and then select EMAIL to send your message securely.

The AirTran Airways A+ Visa Signature card is issued by Barclays Bank Delaware, Attn: Gates – IS, 100 S. West Street, Wilmington, DE 19801, Member FDIC.

BRD-EM-14466051

…To review our Privacy Policy, click here.

Next we have Intuit QB Basic Payroll sending order # SBL36468501 for 243.89 to me for Grant Kxxxxx in Boca Raton, Florida with no reply address and no way to notify them that they are sending information to someone else.

An update on the American Express “Settlement and Payment Advice Report for SE No: 9740108691.”  American Express is still sending them.  While asking to be notified by email, but messages to their notification email address still bounce.

How about companies adopt a standard link at the end of their emails to notify them to review the address?

The kicker is that Best Buy and HSBC included the statement that  ”We maintain strict security standards and procedures to prevent unauthorized access to information about you.”  I guess that is, unless of course HSBC and Best Buy send it to the wrong email address they do not bother to verify them.

After speaking with a supervisor, they intended to “try to find the account number” and delete it, but apparently there is no method for them to look up an account number by email address, name or last four digits.

To make matters worse, Continental provides no method to notify them that someone is not using their own email address to book a flight.

Now in this same email, the Subject says “DO NOT REPLY.”  In the text HomeDepot says “This is an unmonitored mailbox; please do not reply directly to this e-mail.”  Then a few sentences further, it says “if this message has been sent to you in error, please immediately alert the sender by reply e-mail.”  The do include a link to their privacy policy (http://www.homedepot.com/privacy).  Fortunately OUR terms of service that apply to email sent to us, is that we may quote it here. Otherwise, emailing us is strictly forbidden.

HomeDepot should be including a link to report problems that are either fraud or honest errors.  Likewise, HomeDepot should take the time to proofread their emails in order to ensure that they make sense.

—————————————–

Fri, Nov 13, 2009 at 9:54 AM
subject DO NOT REPLY: The Home Depot Home Services Appointment Details [47638xx]
Dear: Paul Jxxxxxx,
Thank you for submitting your information with The Home Depot’s Installation Services:

Home Insulation

Our representatives will contact you within 24 to 48 hours.
…
This is an unmonitored mailbox; please do not reply directly to this e-mail.
…
If you are not the intended recipient of this message, or if this message has been sent to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments.

First up on our list of companies that do not verify where they are sending your private information is BMW Financial Services disclosed Sandra A’s name (last name included in the email but not included here to protect her privacy), her presumed nickname – Sandy-, and the BMW car she has 2006, 325xi.  BMW attempted to look up the account by email and said they would attempt to remove it [Update: a week later they were still sending us email].  Most people would not have called them though in order to correct their error.  The email also included the line “we diligently safeguard your privacy” with a link to their privacy policy (http://www.bmwusa.com/About/privacy.htm?panelid=3), none of which did BMW follow by sending us Ms. A’s personal information.  BMW provided no method to let them know that they had made a mistake, and in fact made it extremely difficult to speak with a human in order to even get a comment requesting account numbers or social security number repeatedly.

AT&T Wireless was even worse.  The first woman I spoke too transferred me to a different department where I was rudely told I “didn’t understand the Internet” and that the fact that they were sending me information about Crystal R’s account meant that my own email account had been stolen and that I had to talk to my ISP about how to remedy the problem.  AT&T could not believe that they had entered an email address in error and would not even pull up the account to remove the email address – AT&T had helpfully sent me the phone number. Of course, it had NOTHING to do with the fact that it turned out that her email account was the same as mine except with an “i” at the end which AT&T had neglected to enter.  I called the person to let them know that AT&T was sending me her account information and she and I figured out the problem while on hold with AT&T.  It is funny that after calling back 3 more times I finally spoke with someone who understood the problem and decided to actually call the account holder and fix the email address in the AT&T Wireless computer system.  AT&T should train its employees better to be more polite, and to be receptive to good Samaritans who are try to report a problem to AT&T.  Likewise, AT&T Wireless also has been sending me updates for MORDECAI ALPERT about his A-List Feature or Call-list.

Disney Destinations has sent several emails including confirmation numbers for reservations, full details of the people making the reservation – name, address, balance due – where they were staying and the dates.  But not way to notify Disney of the error.  For example, Ms. Jackie G. from West Palm Beach is going to stay at Disney’s Boardwalk Inn in December.  Kris P is going to be there the same day, perhaps they know each other.

AmericanExpress sent us a “Settlement and Payment Advice Report” for “SE No: 9740108691.”  With all kinds of merchant details and transactions.  They ask you to reply immediately if you “receive this message in error.”  That is the right idea, but the email address gives the message that “Delivery to the following recipients failed.”  So, while AmericanExpress did try, they didn’t succeed.

Verizon  sent us information about the account number ending in 1772-00001 that “[t]he current balance due is $270.55.You can conveniently view your bill statement.”  Verizon provides a link that states “If you are not the intended recipient and feel you have received this email in error, please click here to notify us.”  However, the link takes you to the generic Verizon Wireless website with no link to contact about email addresses that are incorrect.  Verizon seems to have the right idea, but a poor implementation.  Verizon also has a link to their privacy policy, which doesn’t seem to be being followed.  Beth at Verizon said that Verizon does not verify the email addresses and it is up to the customer to do so.

1800Flowers has sent several emails.  For example, one on November 10th, with a delivery for Edwina L. in North Fort Myers, FL from (presumably) her son, Kevin H.and Dana H. in Geneva IL saying “Thank you for being such a wonderful Mother, Love, Dana”.  The email lists the last four digits of the American Express card, the full addresses of both people, order number etc.

Walmart sent us email for JB Hughes with the last 4 digits of his Visa card (aka Walmart MoneyCard) and the balance remaining.  Walmart’s email is “an unmonitored email box” with no way to notify them of the error by phone or email.  They ironically provide a link to their privacy policy. (See here.)

GE Consumer and Industrial Appliance Parts was even kind enough to send me their eNewsletter with the tag “CONFIDENTIAL — DO NOT DISTRIBUTE OR PUBLISH TO THIRD PARTY.”  And no link to let them know that GE itself is “publish[ing] to a third party.”

The worst of the bunch though is Hilton Hotels.  After receiving 3 emails from various Hilton Hotels in the last 2 days, none with a link to report their error, I called Hilton to get a comment.  For example, Stephen B will be at the Hilton Garden Inn, Cleveland Downtown Nov 14-15.  Hilton Hotels was happy to send his confirmation number and more, but no link to let them know they’d made a mistake.  Amauri A will be at the Hilton, Chicago O’Hare Airport 11/30-12/1 2009.  No link to let them know of the error, but links to “modify or cancel your reservation.”  George U stated at the Hilton Garden Inn Pittsburgh/Southpoint 11/5-116 and earned 119 miles for it.  The General Manager of the hotel, Paul Bazzano signed the email, but didn’t provide details on correcting their error.  The kicker is this: The email states “Please do not reply to this email. Mail sent to this address cannot be answered” but then states “If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete this message.” Hilton, which one is it?  Reply or not?  After replying to the email and receiving no answer after several days, it appears they will not be doing so.

So I decided call Hilton at 877-444-9847. After being on hold for 20 minutes I finally spoke with Bryan Simmons who asked me to forward the email to them so they could investigate.  No reasonable person is going to try to attempt to correct Hilton Hotel’s errors for that long, but I was hoping to be able to speak with someone there and did so.  Perhaps Hilton will correct the issues in the future.

Then we have Beacon Medical Services for Longs Peak ER Physicians that notified us that Jody J. M.’s payment was declined on her Mastercard ending in XXXX for $55.00 with 1990534xx as the account number.  After speaking with them, they say they do not email people, so someone must’ve been pretending to be them and spamming with that information. True?  Perhaps.

Vonage is yet another company that has difficulty protecting individuals private information.  Vonage has been sending me the visual voicemails, with voice-message.wav attached for a Willie T. at 706-955-11xx.  They provide no means of notifying them of problem and are sharing private voicemails with someone who is not their customer.  Calling their toll-free number (which should NOT be required) connects you with someone who is not a native English speaker and who (both times I called) had difficulty in understanding how they could be sending me someone else’s voice mails.

Sprint (sprint.com) continues the trend with no way to notify them, and no way to remove yourself.  Sprint has been sending us Gary S’s PIN and security answer with only a part of the account number blocked.  So, there is absolutely no way to notify them that they are sending the information to us.  Amazingly poor privacy protection.

Few of the companies provide the means to correct their mistakes.  Someone who was attempting to steal and identity or commit fraud could use this information to further their cause.  Likewise, any burglar would love to know when a person is going to be out of town in Pittsburgh or Orlando.

Some suggested requirements for companies who send private information to their customers.

(a) Require users to enter email addresses twice.  Require employees to enter email twice and read the email address back to the user.

(b) Verify email addresses prior to sending.  This does not mean just a link to click on, but a code sent via regular mail or text message that is then entered after clicking a link in the email.

(c) Provide a method to report an incorrect address.  Just a link that says “You have the wrong email address, please delete it” would be sufficient.

(d) For confidential email, senders should sign and/or encrypt the email with something like PGP.  Sending confidential information by email is just a bad idea all around.  It is like sending private information by postcard and addressing it to the New York Times.

In short, while the companies above are claiming to protect your privacy a combination of mistakes by either their customers or their representatives are failing to do so.  We’ll be updating this report over time.

Let’s analyze this.  You can pay whatever you are paying per month now for insurance or you can forgo buying insurance and pay an annual penalty knowing that you can buy insurance later when you need it.  Simple trade-off there.  Pay $500/month for health insurance now or pay $200/year penalty and only pay the $500 when you need it.

If even a percentage of people wait until they are sick to get coverage, costs will go up on the people who do not try to cheat the system.

The Federal government has one method of making a “universal coverage” mandate viable:  huge taxes that everyone has to pay followed by jail if they don’t.  Every other method can, and will, be gamed.  Look at all the other government programs that people cheat on: from military purchases, to food stamps being, to Social Security (relatives of the dead still collecting), to Medicare, to Medicaid (dump your assets so you qualify) to taxes.  Government socialized health care will be no different.

Even ignoring the Constitutionality of it, do we really want jail time for not having health insurance in what is supposed to be free country?