With no disrespect to Australian music legend Paul Kelly, this blog is not about his famous song of the same name, but rather it is a reference to how privacy and information security risks are either frequently overlooked, not properly evaluated or deliberately shifted by organizations to consumers with potentially very serious consequences.
An EFA supporter recently told us of an experience they had trying to open a business credit/terms account with Woolworths at Work on behalf of the school tuckshop so they can order groceries etc on-line and avail of those purchases on credit terms. So far, so good.
As part of the account creation and credit assessment process, Woolworths needs to establish the identity of individuals purporting to represent the school and possessing the authority to lodge such orders on its behalf. Again, so far, so good – this is a reasonable and common risk management process.
To facilitate identity verification of business account applicants, Woolworths at Work uses a service from Illion, a provider of data, analytics services and also a credit reporting body. As part of the identity verification process, our EFA supporter was required to provide Illion with access to banking account statements for the school. This could be done either manually (slower) or on-line (quicker). Again, so far, so good. Or so it seems. See here.
From a privacy and information security perspective, here is where things go south rapidly. Illion actually requested our supporter to provide their on-line banking credentials as part of its verification process and to obtain access to the requested bank statements. Read that again. Illion asked for the individual’s on-line banking User ID and password so that they could log on and access the individual’s bank account and access whatever information they deemed necessary for identity verification and other purposes.
The first thing which springs to mind is why are Illion, and by implication Woolworths, actively encouraging individuals to apparently breach the terms and conditions of their bank’s internet banking and banking account contractual terms.
Banks and credit card issuers all specifically contract with individuals to never to share their User Id and password, otherwise the individual consumer will be in breach of those contractual terms and become liable for any unauthorised or unlawful transactions which might arise. This is incredibly poor data governance practice and a question also arises as to the underlying ethics. Why would you incentivise a consumer, using the lure of a more efficient process, to breach a contract with their financial services provider?
The second issue is that Illion and Woolworths are, under the guise of convenience and ‘making the customer experience more frictionless’, creating both an unnecessary privacy and security risk for individuals. While the likelihood of an information security or data breach risk may be hard to quantify on the information available to EFA, I am not comforted by Illion and Woolworths proselytizing their information security prowess. We know most organizations with an on-line presence often over promise and under deliver on their privacy and information security promises. We also know very plainly from recent events in the press that when it comes to data breaches or loss of control of personal data, it often comes down to a small chink in an organization’s information security armour for bad actors to gain access to an organization’s personal data stores.
Which brings us to my point ‘From little things, big things grow’. No matter how good you claim your privacy and information security capabilities are, it’s frequently the small things that lead to bigger, asymmetrical negative outcomes for the privacy and security of consumer personal data. In the case of Illion and Woolworths, if you actually want to be trusted stewards of consumer personal data, try collecting less of it and never ask consumers to share their online banking credentials.
One last word, or 568 words actually. That is the number of words Woolworths use to tell customers how to opt out of marketing from Woolworths at Work. Those instructions are listed (buried) in Clause 29 of the Woolworths at Work Terms and Conditions.
Come on Woolies, lift your game. You can do much better than this!
This piece was written by EFA board member, John Pane.
What are your thoughts? Discuss with the EFA community on Facebook, Twitter or Discord.