By Ben Rafferty, Global Solutions Director
This month, Verizon revealed that as many as 14 million records of customers who called the company’s customer service department had been compromised in one of the biggest data security incidents of 2017 (thus far). Each record contained hundreds of fields of sensitive personal information, including customers’ names, home addresses, cell phone numbers, email addresses, account PINs and more. The files were found on an unprotected AWS storage server owned by Nice Systems, a Verizon partner that helps facilitate the company’s customer service calls, and were downloadable by anyone with the easy-to-guess web address.
It’s important to note that this wasn’t technically a data breach, nor was the company hacked. However, there is a possibility that an opportunistic hacker spotted and took advantage of the gap in security that left customer data exposed. Until the data turns up for sale on the dark web or is used fraudulently, it will be easy to tell in the former, and much harder to tell in the latter, if the customer information has ended up in the wrong hands, due to the lapse in data security.
Regardless of the semantics of data breach versus data exposure, this is yet another high-profile, headline-grabbing example of why it is critical for companies to ensure that all Personally Identifiable Information (PII) is 100 percent obscured and encrypted when not in use. Organizations must also know where PII resides in core systems, logs or meta data. No matter what channel the data is gathered through – whether it’s via phone or the internet, all consumer data is a potential prize to hackers, and therefore must be considered a security risk for businesses. It’s unsettling that a company that has worked in the space of sponsored state surveillance has a supplier that has forgotten data security rule 101 – namely, to secure the data.
Incidents like this one reinforce the strong need for companies to stay ever vigilant and do more to keep their customers’ data safe, no matter where it resides. For example, if your company is outsourcing data services, make sure that the organization you’re partnering with is aware of the type of data they are handling and aware that they are picking up the associated risk. Business contracts with third-party vendors or business process outsourcers should include language stating that they understand the risk had been transferred to them and that they will be liable for the consequences if that data is compromised.
When it comes to outsourcing call center operations, one of the best options is for businesses to simply make sure that sensitive customer data never enters the call center infrastructure in the first place. For example, using Semafone’s patented payment solution, Cardprotect, companies can have customers enter their payment card data, account PINs or other sensitive data directly into the telephone keypad. The Dual Tone Multi-Frequency (DTMF) tones are masked and replaced with flat tones so the sensitive data cannot be recognized or captured on a call recording system. The data is automatically segregated and securely routed to the payment processor, keeping it out of the call center infrastructure completely. With such an approach, companies can dramatically minimize risk by ensuring that customers’ payment card data is not captured on call recordings or sitting (insecurely) somewhere in the call center infrastructure, waiting to be hacked.
By taking more proactive measures to secure their customers’ sensitive data – whether the data is within their own organization or is being handled by a partner – companies will not only be helping their customers, but will also be better protecting their own reputations and ensuring they don’t make headlines for the wrong reasons.