Skip to main content

Featured post

If Harveywetdog did Wikipedia

In April 2020 and in the interest of legacy I wrote a Wikipedia entry recording the thoughts and notable works of Harveywetdog. I admit I was ignorant of the rules concerning self promotion on Wikipedia and consequently my entry was correctly deleted and my account expunged from the system. As a result my original words and links were sadly lost but nevertheless here is a rewrite. Perhaps when I'm gone someone will be able to enter it onto Wikipedia as a fitting epitaph for my time on the Harveywetdog Project.  
1 comment
Read more
Labels

Delay, Deny, Defend - the role of the ombudsman in the twenty first Century (PART 2)

 In part 1 we looked the price we pay in terms of personal security for the sake of on-line convenience; in part 2 we conclude our sorry story of  Delay, Deny, Defend, before winding up with some lessons learned

Evil forces are at work in the world
(Adobe AI image)


The mobile phone provider’s story


I have already said how my mobile phone provider was duped into giving away my mobile phone number via chat. Security involved sending a code to my email address which, as my email account was briefly in the hands of the scammer, was passed. The agent I chatted to appeared genuinely shocked, telling me I was changing job which provided a phone so wanted to pass this phone on to a family member. I had to explain it wasn’t me (they even asked if there was anyone else in the house who could have done it) and eventually they believed me.

As I explained, their only error was to say they were cancelling the PAC immediately when in fact it took approximately ten days to get the number back. There was also delay acting on the security breach and I remember a phone call after four days where the agent was shocked that nothing had been done by their organisation to recover the number from Giffgaff.

The mobile phone provider accepted they had made mistakes and have offered compensation accordingly. I have not pursued them for transcripts of the chat with the third party as they had given me a fair account of the tactics used.

The credit card supplier’s story

As I was unsuccessful in getting the PAC stopped, and as the third party had had chance to look around my business via my compromised email account, once the PAC came into force the fraudster turned his attention to my credit card account. Of course, if, as I suspect, the initial leak of my personal data came from a dodgy credit card deal, this could have been their target all along.

We won’t go into how they breached security on my credit card account. Once again, because I wanted to know exactly what they knew, I complained to the credit card company on the basis that their security procedures had proved inadequate.

To be honest I thought my complaint was probably groundless. Consequently I was horrified to receive a call from the Company upholding my complaint, confirming that their agent had given away my personal data which had facilitated the fraud, and offering me compensation for the stress and inconvenience caused. While they did not provide the transcripts I requested, they did tell me how to obtain them.

I completed their online Subject Access Request (SAR) form and waited. A couple of weeks later I received a couriered package which told me they couldn’t provide the information as it contained third party data and they couldn’t compromise their (the third party) GDPR rights. I appealed this decision by generating another online submission and this time the couriered response told me that they couldn’t provide the data as it would compromise their (the credit card company) security protocols. Great!

Disappointed with their response, I raised my complaint with the Financial Ombudsman. Bearing in mind that my credit card supplier had already admitted they had made an error and offered compensation, the FOS went full counterfactual and concocted a story placing the blame firmly on me and suggesting that I’d somehow given the third party access to the credit card app on my phone (as I didn’t use the app you can appreciate why I found this hard to accept). They made no attempt to persuade the Company to provide the transcripts.

I have appealed this decision because it is so basically wrong. The FOS take six months to deal with appeals, hence while I await the outcome, I have short circuited the process and taken this case to the ICO as well. 

Information Commissioner’s Office

Where you have requested your personal data from a company or public body and this has been unsuccessful, you can take your case to the ICO. They are currently taking about five months to respond. I used the online process which is okay, allows you to make your case and add attachments, but as with all these processes you feel a little uncertain as to whether you’re providing the correct level of detail.

I am now waiting the five months for responses from the ICO on my information requests on energy, email and credit card.

Back in the summer I raised a case against Giffgaff with the ICO. I received a response in December. It wasn’t very successful, but it did show me how they expected the process to work and they did tell me who to contact at Giffgaff to further my cause.

Based on this I have made a formal SAR request to my energy supplier asking for transcripts of the chat  with the scammer on the day in question. I don't know if this will be successful, but hopefully it will avoid me waiting 5 months for the ICO simply to tell me I should have made an explicit request, as opposed to the request implied in my complaint, first.  

Delay, Deny, Defend

The recent shooting in New York has brought the concept of delay deny defend to my attention. It made me realise that this was exactly the tactics the various companies and ombudsmen I’d been dealing with had deployed.

This is how it works. First of all you complain; you don’t get a response or you get a response in poorly written English and that’s all part of the delay process. Or they’ll tell you they’ve lost something or didn’t receive your complaint so further denial and delay.

The companies can only deny and delay for so long because after eight weeks you can take your complaint to the Ombudsman. The company will even give you a letter saying you could take your complaint to the Ombudsman because they know that process is overstretched and will just add to the delay.

What I noticed was that once you’ve gone to the Ombudsman the companies really double down and go into full defend mode. Suddenly it’s all “customers incompetence”, “he’s mistaken” “it’s the customer’s fault” et cetera et cetera and so it just drags on and drags on.

From what I’ve see the ombudsmen are all part of the delay and defend process. Everything takes time, everything is treated with an air of supposed helpfulness aimed at letting you down gently in the hope that you’ll give up and shut up.

In a couple of instances I think I would have been better off if the ombudsman had rejected my case in the first place. They certainly didn’t further my cause, obtain anything useful out of the company or appear prepared to challenge what the company had said. They all insisted they couldn’t investigate fraud, as this was the job of the police, but were prepared to accept cases that involved fraud. I assume their KPIs are based on cases processed so they need a few that can be readily dismissed to keep the numbers looking sweet.

All ombudsmen have an appeal process but this is nothing more than a line manager marking their underlings homework and in no way represents an independent of fresh look at the case. It is simply more deny and defend. At least with energy and communications the delay added by the appeal review was relatively short; in the case of the financial ombudsman the delay is currently six months.

Remember my main aim in all of this was an attempt to know what parts of my personal information the third party knew. In all cases the ombudsman took the complaint on, suggesting they could help me, only to ultimately conclude that they couldn’t and that I should take my case to the Information Commissioner’s Office.

I don’t know if you need to go through all this pain in order to strengthen your case with the ICO, or if it’s just part of deny, delay, defend grindstone. Most companies only seem to keep these records for 12 months, so the longer than delay with an impression of action the quicker your 12 months will be up and your data “unfortunately no longer available”.

"The various ombudsmen services are not there to help you; they are there to protect the system and are all part of deny, delay, defend"


Finally we should note the one defend tactic that all companies will use to make you go away; compensation. Some people will find that works for them. I do not know how you calculate compensation for all the stressful days and nights worrying about who’s got your data or how someone was stupid/malicious enough to give it away in the first place but each will have their own threshold of what’s acceptable.

In many ways this is an easy get out for the companies. They want you to take your £50, keep quiet and go away. They’re not worried about improvement. They’re not worried about providing any sort of service and they’re certainly not serious about giving you any sense of security in dealing with them.

For me personally it was never about compensation. It started out being about finding out how my personal data got into the hands of a third party in the first place and developed into a crusade against the “convenience at the expense of security” mindset.

I’m not sure how it will end; as I’m writing this, Christmas 2024, I have about six months left before I suspect the evidence I seek will be destroyed forever. I have a serious concern that the powers that be have it in them to defend and delay giving answers until that unfortunate milestone is passed.

Lessons learned

If you are going to succumb to an online life of convenience, here is some advice based on the mistakes I’ve made.

  • Don’t give out your personal data unnecessarily. Challenge when people ask for your data, why do they need it, can they protect it? Challenge, challenge, challenge!
  • There is no such thing as low level data. It all builds up to be high level data.
  • If something appears suspicious, it probably is. Don’t ignore irregular random messages. They may be indicative of a wider ranging attack.
  • Don’t believe you can stop the PAC process once it has been initiated; and definitely don’t trust the phone number until it is securely back in your control and the PAC clearly dead.
  • Once you get the slightest indication that your email and/or mobile phone number is compromised lock down your financial accounts immediately. This may lead to short term inconvenience, but it will provide security in the long run. You have to try and get ahead of the scammers, and then go back and tidy up the damage they’ve done.
  • The various ombudsmen services are not there to help you; they are there to protect the system and are all part of deny, delay, defend.
  • Remember you are basically on your own; treat everyone with suspicion and don’t expect the system to provide any form of defence in depth. Your online security is built like a house of cards, waiting to collapse at slightest puff of wind.

------------------------------------------------------------------------------


Harveywetdog/Author - David Robinson CEng FIET 
David spent approaching 50 years in Her Majesty's Electricity Supply Industry before retiring
He was part of the highly successful design team on the Sizewell B Nuclear Power Station Project before spending 25 years producing safety cases to keep our aging AGR fleet generating for the good of the nation
He is responsible for the Harveywetdog YouTube Channel which he maintains as an outlet for his creative talents
David is now in remission from blood cancer but refuses to be a victim
All views are of course his own but might be influenced by the medication he's had to take

Labels:

Comments

Post a Comment