The amount of personal information shared by companies or available online could be exposing people to a greater risk of being scammed by fraudsters, Which? warns today.
Which? Editor Neil Fowler was shocked to discover how much personal information about him was available on publicly accessible websites.
Using only his name and occupation, a researcher was able to track down private details including the names of Neil’s close family and the floorplans of his home, including access points.
Identity fraudsters can use the internet to gather personal information, and then use this knowledge to trick people into revealing Pin numbers, passwords or other security information.
People who leave personal details on social networking sites are particularly at risk.
Organisations that collect personal data must ensure individuals understand how their information is stored and used.
But, following our latest investigation, Which? is concerned that, according to its public documents, Transport for London (TfL) may not be complying with the Data Protection Act (DPA).
TfL’s Oyster card logs London Tube and train passengers’ travel details for eight weeks. Yet when customers sign up for an Oyster card, all the registration data protection statement says is that the personal information is used for ‘the purposes of administration, customer services and research’.
We were concerned that Virgin Mobile’s public documents weren’t clear on the use of personal data, either. Virgin Mobile privacy and security policy says that personal data are collected to ‘develop your service for the future’. Yet Virgin’s policy also says that data may be shared outside the country and with other companies.
Virgin says it needs to share this personal information because it uses other companies to provide part of its service. However, Virgin also appears to cast some doubt on whether those companies can keep your data secure.
Its policy states: ‘You should be aware that companies outside the European Union may have a lower standard of protection for personal information than that provided by the Data Protection Act 1998. We will, however, seek to have your data processed in accordance with English Law.’
Virgin Mobile told us the Information Commissioner has confirmed Virgin has ‘taken appropriate measures to ensure that any personal data transferred overseas is afforded the same level of protection as it would have under the DPA’. Virgin Mobile has provided Which? with a copy of this confirmation from the Information Commissioner.
Private companies are under no obligation to admit to security breaches, so people may not be told if their bank or mobile phone company, for example, loses their records.
The Information Commissioner’s Office was recently given powers to do spot checks on how public organisations manage their data, but this doesn’t extend to the private sector.
Which? Editor Neil Fowler said: ‘We all need to take steps to protect our personal data – both online and offline – by being more aware of how it could be used, and taking care whom we share it with.
‘Which? is concerned that some private companies aren’t complying with the Data Protection Act and we urge them to tighten up their processes.
‘We’d also like the government to consider extending the Information Commissioner’s powers to include spot checks on private sector databases, so that consumers can be reassured that their data are in safe hands.’
We’ve produced a checklist to help you cut your risk of ID fraud:
- regularly check your personal credit file to ensure it’s accurate
- check bank and credit card statements to make sure there are no unfamiliar transactions
- cancel lost or stolen cards immediately
- use a shredder to get rid of documents you don’t need
- never give personal or bank details to anyone who contacts you unexpectedly
- don’t use the same password for more than one account
- make sure you have up-to-date security software installed on your computer
- don’t tick ‘Yes’ to share your details with third parties
- give away only the minimum details on social networking sites and make sure you understand the privacy settings.