"And why weren't individuals with access restricted as to what data they could retrieve and for which customers?"

How?

People working support in a call center obviously need access to the records of every customer, because they could potentially have to provide support to any customer. And in most cases you can't restrict what information they have access to see because they need to see it in order properly to support the customer.

Eugene, what he says is perfectly true.

Any time any agent accesses information on a customer he's not actively dealing with, that is basically misuse.

So, how do you detect it all?

You have to go through every instance of access to any customer's records. i.e., you have to audit *every single operation performed* by every customer service agent ever. That is *technically* possible but not practically possible.

It's trivial to, say, find out if anyone inappropriately accessed one given person's records. If Arnold Schwarzenegger thought someone at California Television had improperly accessed his record that'd be easy to check: you look at Arnie's account, note every instance of access to it, and check whether that access was made for a legitimate reason. For a single-customer scenario like that, of course it's easy to check.

But that's not what the guy said. He said it was difficult or impossible to uncover "all the instances" of abuse. This is perfectly true, because *any* customer's account could potentially be accessed improperly, and it is not practical to check every single access to every single account in the system.