TalkTalk still struggles to shut down legacy email addresses on request Months after The Register first wrote about TalkTalk failing to close a former customer's email address, the firm is still using the General Data Protection Regulation as an excuse for dragging its heels. Reg reader Rose got in touch with us after reading our report of the zombie TalkTalk email account from March to complain …
Companies hide behind "ID Verification" to delay the process and force-ably collect additional data about individuals.
So good Luck with Talk Talk. I have been fighting a financial institution who owe me £2000. Because I have changed my address in the last 5 years - once - and because my passport has been renewed so the old number is not valid ID they insist on;
An original Bank Statement for the current address and an old one from the old address
An original Utility bill for each address (given these now are electronic means not possible to give an original)
An original of my UK Tax coding or other Tax correspondence
An Certified copy of my driving license for the new address.
No way am I sending this much information to an organisation who 3 years ago had a major data leak.
Even more galling is that another branch of the same organisation are quite happy to deal with me at the new address for investments in excess of £2000.
My next action is probably Small Claims Court to teach the bu***rs a lesson.
There is no such thing in the UK as the "Small Claims Court" (whatever Which says). There is the "Small Claims Track" in the County Court.
This matters because if a case is dismissed _before_ it is assigned to a track, the standard rules for costs apply - the loser pays. It is not beyond the bounds of possibility that the financial institution will decide to fight, and apply to dismiss the case on the grounds that they don't dispute they owe "Barrie Shepherd" £2000 - but they are obliged to check you are the Barrie Shepherd they owe the money to. If they succeed, they could end up stinging you for £lots costs (rather more than £2000).
Icon: Lawyers.
I have the opposite issue: We looked into a Virgin Business account for a client due to lack of choice, they let us down multiple times on just the quote, so we never ordered the line.
I've had multiple emails informing me of planed maintenance on the non-existent line.
I've rung 5 times to complain, been told each time I've been removed from getting these notices, then another turns up.
In this case we are actually paying nothing but getting the harassment for free! ;)
"Someone has been able to reset my passwords for Amazon, eBay, my broadband provider, iTunes and more,"
I'm guessing they used the... "I've forgotten my password, send me a new one to my email address " ...hole in the system So have a very good password on email (change it when you abandon use of the address) and continue to monitor legacy email addresses until they are killed by the ISP.
I'm guessing they used the... "I've forgotten my password, send me a new one to my email address " ...hole in the system
Which leads to the question - if the person was a former user, how come the TalkTalk address was still set as the password reset address rather the current email address? Yes, TalkTalk are as much use as a fishnet condom and will hopefully go bust, but it seems there's a touch of user error here as well.
I have some sympathy for Talk Talk here (see title for how I feel about that). If they deleted email accounts at the drop of a hat, El Reg would be full of stories about furious customers who had their email account deleted by some prankster. It's really hard to swiftly delete accounts for the actual owner AND never accept account-deletion requests from anyone other than the account owner. Also, it is usually better to be too slow about deleting an account, than it is to accidentally delete an account you shouldn't.
FAOD: I'm pretty sure that Talk Talk could do better here - but it's not a trivial problem.
This post has been deleted by its author
Rather than asking for 2 forms of ID, which some people may not have if you have no passport or driving license. A simple solution is in these matter is the disable the mailbox and to post out a verification letter to the address registered on file by 1st class recorded delivery. Have a unique code in the letter which could then be given over the phone to customer services to prove they are the account holder.
Where a customer had mislaid or forgotten their security details with us, the final method of recovery was we would print a customer identity form on our headed paper, fill out the requesting details, sign the form and post to the registered address. They could then fill in new contact details and return.
Bad companies love to misinterpret data protection regs. It's worth reading up on what the regs actually say, so you can point out that they're in breach of them.
In this case, Talk Talk are in breach because they're sending the customer's personal data to an email address they have been told is compromised. They have an obligation to self-report the incident to the ICO. They can't close the email address without proof, but they have to suspend mail delivery until they're sure it's private.
In my experience TalkTalk are not very useful at dealing with grieving relatives trying to close the account of someone who passed.
We've got to the stage now of writing 'return to sender - deceased' on their correspondence after several phone calls along the lines of - "sorry, system down, no record of last call, we'll look in to this for you and get back'.
The problem is if you make it easy for a customer to shutdown their email, it is also easy for a hacker. If you make it hard for a hacker to shutdown an email, it becomes hard for the customer.
The ideal method would be to make it easy for a customer and hard for a hacker, but that is only a theory and never works in practice. (At least this is my experience with customer service.)
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
