Friday, August 10, 2012

Privacy Policies are Worthless

I'm going to go off topic here and talk about a privacy experience I had.  I've chosen to keep the name of the company anonymous.

Recently my company changed payroll services and all pay stubs are now stored electronically, no more paper mail whoopee!  Each employee was sent their temporary login credentials via snail mail, and I somehow miss placed mine.  So I did what any other person would do, e-mail the company about how to reset your username and password, to my shock it was way to easy.



As you can see my initial e-mail was very basic, simply asking how to obtain my login credentials.  I figured the response would be something like, 1) go to this site and do these six steps, or 2) call this number and we'll mail you a new login.  To my surprise I received a reply back within 20 minutes containing my login credentials, I was not asked to verify my name, mailing address or last four digits of SSN.  I replied back, and gave my concerns and today I received a response back from the payroll company's president:


I'm glad he apologized and recognized the security risk as I did, and I'm sure they will correct the issue internally.

However - his just shows that information my be encrypted then put on an encrypted disk, in data center with locked cages, multiple keycard passes and gates in a bunker under a mountain thats monitored by hundreds of people.  But it doesn't mean that the human sitting at the help desk answering e-mails with access to that highly protected information knows how to handle it.

I find this almost hilarious - its never the computer that says, "Oops! I left my tape backup in the car unencrypted and the car was stolen!"  It is us humans who make the mistakes and it always seems to take one bad breach of protected information before things change...why are we more reactive other than proactive?

To top it off, I found this pocket size book to help me remember my secret passwords at the Hallmark checkout line when buying a birthday card.   I love the fact that it says, "a confidential handbook" and "keep in a secure place", its like whoever gets their hands on it will see those words and not read it!