There has been considerable controversy – and in the U.S. already some movement towards legislation – over phone record mills – companies that obtain and sell the phone records of individuals (David Fraser has given the issue extensive coverage on his blog). These phone records are obtained in three ways: some are purchased from insiders, some are obtained through unauthorized access to online accounts, but many are obtained by pretext – under false pretenses by carefully designed social engineering scams. From an AP account:
The LAPD eventually determined that the officers’ personal data came from a Denver firm, Touch Tone Information Inc., that used a technique known as “pretexting.” Touch Tone workers would call up phone companies and records holders pretending to be regulators, customers or employees and get them to divulge account information.
What I find particularly troubling about pretexting is that it pulls back the covers on what must be profoundly lax security precautions taken by the phone companies, and suggests that they are still – even after all of 2005’s controversy over poor data security – remarkably unconcerned with building data security in as a core value of their corporate cultures (quite apart from the obvious failure to build sensible data protection measures into business processes). At some point, data security just has to be recognized as a mission-critical obligation of these organizations, and there ought to be serious and punitive consequences if they are not up to this challenge.