Commissioner’s Findings - PIPEDA Report of Findings # 2012-004 : Weak authentication allowed imposter to hijack customer’s cell phone account
A customer complained that his cell phone service provider disclosed his personal information to an imposter and inadequately responded to his request for access to his data. The Office of the Privacy Commissioner of Canada (OPC) found that the provider contravened PIPEDA by allowing an employee to disclose sensitive account details without proper authentication. The OPC also found that the provider initially failed to meet the 30-day deadline for responding to the customer's access request, but this aspect was later resolved. The OPC recommended the company review its privacy management programs.
- Disclosure of personal information without consent
- Failure to properly authenticate a caller
- Adequacy and timeliness of response to access request
- Effectiveness of employee training and adherence to procedures
Complaint found to be well-founded regarding disclosure and well-founded and resolved regarding access.
The provider failed to ensure its employee properly authenticated a caller before disclosing personal information, contravening PIPEDA. While the provider initially delayed in responding to the access request, it eventually provided the requested information, resolving that aspect of the complaint.
AI-generated summary for reference only. Always verify against the official decision ↗
The OPC recommended the company consult guidance on privacy management programs to review its policies and procedures.
- Principle 4.3 PIPEDA
- Principle 4.9 PIPEDA
- s. 10 PIPEDA
- s. 2(1) PIPEDA
- s. 8(3) PIPEDA
- s. 8(4) PIPEDA
- s. 8(5) PIPEDA
- s. 9(1) PIPEDA
This summary is for informational purposes only and does not constitute legal advice.