Costa Coffee Club members wake up and smell the data breach Costa Coffee is warning customers it may have suffered a security breach and, alongside resetting the passwords for all of its Coffee Club accounts, is going to implement a "new format" for users' passwords. The Costa Coffee Club is Costa's "little way of saying thanks", and it certainly is little, offering five pence for …
in the main. However, they appear to be going down the fashionable route of insisting you "contact them" via social media. What on earth is wrong with an old fashioned email ?
The reason I recently wanted to contact them, was to express my utter disgust that all the staff at their Harborne branch seemed perfectly OK with s customer bringing her rat-on-a-string dog in. Or are they aiming for the *real* Parisian cafe culture ?
What's wrong with a truly old fashioned letter of complaint to their CEO?
I think you are being a bit optimistic in expected any electronic communication not sent to a specific address and a with a specific subject getting anything more than a rote response.
Besides - report the branch to the council food hygiene peeps.
Have an upvote!
It should be absolutely MANDATORY that there be a plainly visible contact email ADDRESS on every companies web page. NOT a web mail form but a plain address so that you can actually contact people and use more than 140 characters to do so.
I for one will not ever use "social media" to communicate with anyone! Not going to get an account so I can, I will just stop using their product or service if they force me.
Email is not "old fashioned", it is my opinion that "asocial" media is a fad for fatuous poseurs and limits free speech. Texting is not conducive to communication.
Companies don't want you to be able to contact them easily and have a cogent discussion, they want you to jump through the hoops they deliberately put up to prevent the extra work of having real customer service.
It should be absolutely MANDATORY that there be a plainly visible contact email ADDRESS on every companies web page...you mean like germany? where practically every website has to have an "impressum" with information such as the address...even if it's just your personal blog...as soon as you express an opinion you fall under the journalistic umbrella and bang - you're legally required to give your address to world and dog (I know you said company but what about self-employed? and what if you have ads on your website? etc).
"It should be absolutely MANDATORY that there be a plainly visible contact email ADDRESS on every companies web page."
Problem there is that spammers harvest published email addresses and sell them on to everybody. This renders your published address next to useless in short order; with the attendant time cost and the danger of missing out on a genuine -possibly critical- message because it's buried in crap. And obfuscation doesn't work (like putting the address as name (at) domain.com or publishing the address as a graphic) as spammers just hire someone cheap to dig up a list of contact addresses.
The only way to stop this is to not publish the email while still making contact possible (and, importantly, easy for the customer); hence contact forms.
So now you know.
"Problem there is that spammers harvest published email addresses and sell them on to everybody. This renders your published address next to useless in short order"
I've had dealings with a number of companies that have had web-published customer service email addresses, and have responded quickly and effectively. Clearly they are managing to operate well despite the tsunami of spam, so I'm puzzled by those companies that aren't so competent.
I've had dealings with a number of companies that have had web-published customer service email addresses, and have responded quickly and effectively. Clearly they are managing to operate well despite the tsunami of spam, so I'm puzzled by those companies that aren't so competent.
Well spam filters are better these days, and it also might be a question of scale...a company that can throw a couple of interns at it will fare better in this respect than your average one-man-band outfit. Likewise, a company that has a dedicated member of staff (or support department) to handle incomings will cope better than companies that work on a more ad-hoc basis. I've also been in places where a tsunami of spam would be welcomed by at least one staff member...an opportunity to look busy all day without having to engage a single neuron (and if anyone questions your productivity you can simply point to the 12,000 spam emails you dealt with last week).
If you have a published email address (versus a web form) two things will happen:
1) You will be spammed harder as time goes on
2) You will have less people contacting you. Some people do not know how to cope with an email address and some people won't bother because it's extra effort.
You can mitigate the spamming somewhat by obfuscation; or you can burn and replace your support email address at intervals (that is a bit risky though because you can alienate/ignore people trying to contact you on the old address).
I'm not the world's greatest fan of webforms; but it really is the best option available at the moment. There is -for the user- that feeling of sending your message into the unknown: Some companies realise that and that is why you get the almost-instant "Yep we received it and you're in the queue to be dealt with" automated response from some places.
Webforms are email essentially. It's a lightweight client to send in one direction to (usually) one address.
Just remember to look for tickboxes so you don't sign yourself up to any mailing lists.
@ Trigonoceps occipitalis:"OK, but please let me have the option of a copy sent to my email."
I see your point, but this can be a risky thing for a company to do...you would then run the risk of
1) Your webform being used as a spamming engine (if it's only relaying messages to your customer support address then it's fairly easy to lock down; but if you allow it to send to multiple addresses, some of which are user-defined it all becomes more tricky). Remember also that if your webform gets caught spamming, your whole domain will be locked down for at least a couple of hours until you can get yourself out of the blackhole. Possibly multiple domains, if they share the same IP address. During that lockdown, people attempting to contact you will not be able to send you email; and that can be expensive; possibly disastrous. At the very least, it doesn't look good.
2) Badly set up forms (ie, where it is not explicitly stated in the body text that this message is from a webform at $site) could also be used to send convincing messages from a genuine live company address. Pretty sure there is some potential for havoc there.
The standard response is to send a very basic "yep we got it" email out automatically. Your message is normally stripped out/not included due to data protection. It's not uncommon for people (especially to support and similar) to have personal details, identifying information, maybe passwords. There's no way in hell a company is going to risk sending that, sight unseen. That's also why support emails from a company generally don't copy the whole conversation (because -amongst other things- it would give an attacker multiple chances to get their hands on delicious personal information).
As soon as a company sends an email, they become legally liable for the contents.
So while your request seems simple -and technically it is- it's entering shark-infested waters, legally speaking. It's not that nobody has thought of it; but if you consider the public reaction to both spamming and data breaches (and your proposal has potential for misuse in both areas); can you really blame companies for not wanting to go there?
P.S. Oh yeah - forgot: You also cannot count on people having an email client these days. A lot of people use webmail, so you'd have to copy the email address, log into your email service, paste the address in and then type your message. Not everyone can do that and -of those that can- a significant number won't bother.
So web forms aren't ideal; but they're fast and easy and everyone can use them.
P.P.S. Totally with you on the attempts to force contact though social media. Fine if it's an option; but if that's the only means of contact then there will be no contact from me either.
"they appear to be going down the fashionable route of insisting you "contact them" via social media. What on earth is wrong with an old fashioned email ?"
Because most of this is led by "marketing Executives" who fall into 2 catergories. Early 20's fresh out of uni/college where they did 'media studies' or late thirties/fourties who want to think their still hip. Both groups think that the latest fad is the greatest thing ever.
Basically get if you could get the latest 'media' star pictured shoving a cactus up their arse, they'd all be doing it the next week and declaring it was the future of doing business
" If I had a company serving the public,
would I really want my dirty laundry aired
in the full view of social media?"
That's exactly why it is a great avenue for getting a response. They want to be seen as being responsive to customer issues. I've had good experience with a few companies via Twitter.
Much better than an email sent to /dev/null
The worst that any miscreant would be able to do in my account is rape it for the points value of a coffee. Other than that, it's the usual drill of unique email, password, and a whole bunch of made-up personal details. Surely nobody is daft enough to provide genuine details if they aren't needed?
"How is it that it's always a 'small number' that is affected?"
0.02% with some unusual activity
Because following a breach, the folks that stole the information either don't have time to mess about with every account, or they attempt to work quietly so as not to give the game away.
So, they could have got all customer details, but have only touched a few accounts.
To top it all, the process they describe to do password resets involves them sending you a new password in clear text email.
"1. Close your existing app session
2. Reopen the app and click 'forgotten password' to reset it
3. Use the new password that is emailed to you to log back into the app
"
That's pretty standard, and the password they send you is temporary. There are better ways, but how is your email set up? Whether it's a temporary password or a link, how secure is the customer's email?
I'm a little more concerned about step 5, which you didn't quote:
3. This will trigger a new temporary password
4. Use this to log back into the page
5. If you wish you can change this to something more memorable under the account menu
It looks like there might be different versions of the email. The email I got is consistent with the temporary password being displayed to you via https. But I would still change it: the 5th instruction is a bit too vague.
It does make sense to send it by email, since they ask you for the account's email address.
Incidentally, the 5% return is pretty decent as these things go. A certain supermarket only returns 1%. So they're not so bad.
This post has been deleted by its author
I understand (IANAL) that under the DPA a company should only request personal information directly relating to the reason it's being processed. If you're reporting a broken street light to the council they may want an email or phone number to let you know when it's been fixed, but they have no right to ask completely unrelated things like your DoB or NI number for example.
In that case what the hell is a fucking coffee house asking people for their Date of Birth for?? If all redemption is via the App or in store then they'd struggle to justify the postal address!
Oh right, yes, I should have realised. The App was designed by the Marketing droids who want their pound of flesh in exchange for the crumbs of "reward"...
@ John Brown (no body)
I agree, that's probably the reason given for asking for it (they may also say it's so they can use it to confirm the user's identity) but it would still, in my opinion (again, IANAL) be superfluous to the reason for processing the data.
People who hand over this information blindly also need to take responsibility for the consequences of handing over their personal data to all and sundry, but that doesn't forgive the organisation for having non-existent security to protect those superfluous details.
If we had a decent Data protection organisation they'd have stamped out this kind of unjustified data harvesting before it got out of the starting blocks. I'll not hold my breath because decent data protection would be "Anti-Business"...
I completely get why email addresses aren't published, and webforms (even with CAPTCHA) are required,
I don't have an issue with webforms, except when they redirect to /dev/null, as Remingtons does.
I had a problem with a Remington product. Used their webform to ask for details of claiming under their warranty (was over a year old).
(I did this, because I *like* email. I can send it when *I* want to, and get on with *my* life. Yes, there is a phone number for such things, but I tried twice and waited 10 minutes before giving up.)
A month passes - nada. Mentioned this to a colleague who immediately suggested Twitter. One tweet got a response within 2 hours, asking for more details. I pointed out all the details were in the webform. They replied they never read them, so I had to resupply them.
The thing is, most companies are shite at customer service, and end up behaving in a manner which is counter productive. Let's examine the anatomy of the most common reason for interaction with customer services to start with. A complaint.
Immediately, you should know there are 2 types of customers Keepers and Losers. Losers are the sort who expect nothing to ever go wrong in the world ever. They're the ones who foam at the mouth, raise their voices, etc etc. Basically people you'd much rather went and wasted someone elses (ideally your competitors) time. Because you can never do enough to "make it up to them".
The other type - and I include myself here - aren't idiots, and know (FFS I work in IT) that occasionally things go wrong (we're grown ups). It's at that point that "S" needs to swing into action, deal with the complaint without evasion, lying, or bad grace. These are Keepers who will appreciate good service.
Because it's only when things go *wrong* you get to see customer service.
There are plenty of companies who have messed up in various ways that I will continue using (Amazon for one, Premier Inn for another) because they have exhibited excellent customer service when I have had a problem. There are also plenty of companies I won't use again, after a simple complaint gets ignored, or trivialised or blamed on someone else.
Step forward Virgin Media ...
in 2010, our office closed, and the staff transferred to homeworking. As IT manager I was tasked with arranging business broadband. Being a (domestic) VM customer who has never had any problems with them (and excellent BB !) I fancied giving them a shot. ANYBODY but BT (who I have never had a good experience with, in 20 years).
Duly found their website, and filled in the webform - full contact details provided - got an acknowledgement and waited for a call. Which never came. So BT got the gig after all (and were predictably shit - the poor CS team had to admit I had correctly predicted every point where they would mess up).
Fast forward 6 months, and my employer is reviewing telephony and WAN provision, so VM are invited in. I "accidentally" commented on poor response as a concern in a pitch. Bit of a flurry after the meeting. Very red faces when they saw the acknowledgement. Even more red faces when they admitted they could find no trace of that enquiry. (Or, as I pointed out to them any other enquiry). They tried to tell my I should have called the sales team instead, but couldn't explain why I shouldn't have used the webform.
Interestingly enough, my MP has a webform contact, and has never failed to reply.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
