in things dug cares about,

Personal data not so personal any more

dug dug Follow Dec 11, 2022 · 3 mins read
an eBay support chat agent releasing a customer's personal information to an online hacker - painting by Marc Chagall

AFFILIATE LINKS

properbroadband.co.uk

In theory, under compliance with GDPR, companies that store your “Personal Data” (see https://gdpr-info.eu/issues/personal-data/) should handle it to a certain standard, including deleting it when it is no longer needed.

These rules would mean for example, that if you rang up my bank and said “I need to know where Dug Falby lives” they would politely tell you that they can’t divulge that information. If you were cheeky, you might even press further, making up some story about why it’s OK to share that information. You might say you were my Dad and it was a health issue; or that it’s urgent; or even that a Nigerian prince is trying to send me gold bars from an unclaimed inheritance for example.

So because we have quite a lot of cheeky going on, people who manage call-centres; who manage chat support and things like that make sure their teams are trained to spot the issues and keep our data safe.

Unless you’re eBay, in which case you share #personaldata with anyone who chats with your support team.

[transcript begins]

subject: just my address
2018 - 09 - 25

04:27:45 UTC Heins
    Welcome to eBay Live Help, my name is Heins. 
    Please stay connected while I review your query.

04:27:56 UTC Heins
    Hello

04:28:04 UTC Heins
    May I know, if you wish to update your address?

04:28:37 UTC eBay_Guest
    i just need to know the address on my account

04:28:45 UTC eBay_Guest
    if thats possible please.

04:29:24 UTC Heins
    May I know, if you wish to know the address 
    to which the items get delivered to ?

04:29:37 UTC eBay_Guest
    yes correct

04:30:08 UTC Heins
    I will check what can be done in this case, 
    Might have to verify your identity first though!

04:30:11 UTC Heins
    I would appreciate if you can help me with your 
    full name, User Id and registered email address 
    to fetch your account details.

04:30:33 UTC eBay_Guest
    yes my name is dug falby 
    and my email adress is dug@donkeyontheedge.com

04:31:57 UTC Heins
    For verification could you share your 
    phone number ending with 655?

04:32:40 UTC eBay_Guest
    07515661655

04:33:49 UTC Heins
    Thank you for verification. we have your address 
    with xxxx xxxx avenue, do you recall 
    this address, Dug?

04:34:24 UTC eBay_Guest
    yes please could i have the full adress please

04:34:42 UTC eBay_Guest
    with post code?

04:36:08 UTC Heins
    Yes, here is the complete address:

04:36:10 UTC Heins
    [Redacted: Full postal address with postcode]

04:36:27 UTC eBay_Guest
    thank you heins

04:36:53 UTC Heins
    You are welcome. May I ask, why you wish to know the address, are you facing issues with login to your account?

[transcript ends]

I have now closed my ebay account. The account was [redacted]

It’s very subtle, the little nudge for the postcode, the volunteering more data than asked for up front. This language is the work of an advanced fraud person very familiar with human engineering, right down to the “thank you heins” at the end.

Note also that by the end of the call, “Heins” has realised what he has done – see his question “why you wish to know the address” but at that point the damage is done and team cyrus just hangs up on him.

I hope Heins gets some more training:-(

security fraud identitytheft
dug
Written by dug Follow
Hiya, life goes like this. Step 1: Get out of bed. Step 2: Make things better:-)
Assumptions in product design
Their lives are more important than ours