I’ve been having some more difficulties with BT over the last few days (more details later, when I discover what has actually happened), and I found myself looking at their SMS webpages again.
As regular readers know, shortly after I complained to them about their previous system, whereby you could find out when anyone last paid their phone bill, just by knowing their phone number, the service was replaced by one that required you to also know their BT account number.
What I didn’t realise until today was that now, as long as you know their account number, you can find out not just when someone last paid their bill, but also how much they paid.
This is quite an astounding breach of basic privacy and Data Protection principles. BT bizarrely seem to think that your account number is a sensible security barrier, even though it’s casually printed on almost all correspondence from them.
Even aside from the normal misdirected/stolen mail, unshredded mail in bin, identity theft type scenarios, surely BT are well aware that a significant number of companies (banks, utilities etc) accept, or even ask for, a recent phone bill as proof of identity?
When I fought with BT on this issue last month I never got around to actually reporting the issue to the Information Commissioner, mostly due to BT’s friendly offer of £25 compensation (which I discovered yesterday they haven’t actually credited to my account yet, but more on that later). Now I may just be pushed far enough to make the complaint…