I was slightly surprised to get an email from ClearScore recently. They are the company that can tell you what your credit score is, so their database contains highly confidential and personal information about you and your financial details. I didn't think that I'd signed up with them, but clicked on the link, and then clicked again to reset my password. I then got an email back from ClearScore confirming this had been done. I was then able to log into my account - except that it wasn't my account! It was the account of another person with the same name, but who lived in a different part of the country. I was able to see details on what his ClearScore account was, and get some basic information about him.
This isn't what I was expecting and I was pretty taken aback. I contacted ClearScore and was even more surprised at the response that I got from them. In part it said "Someone has registered for ClearScore using your email address (or a slight variation of it). We understand this email address is yours and it shouldn't have been used so we've suppressed it to make sure that no one can use your email address to sign up for ClearScore in future. Please let me know if you’d like to sign up yourself, and I can help you with this."
Now, it was pretty clear to me by this point that someone else had indeed, for reasons I can't imagine, signed up using my email address. What also seems obvious is that they were able to go in, make up an account, provide data etc to get their ClearScore figure and leave, all without the email being validated! In most instances this isn't going to be an issue, but now and then, and this is one of those times, it's going to open up someone to a clear breach of their security. Now, you could argue that if the person who created the account was stupid enough not to check the email address they signed up with then it's their own fault. However, it's equally clear that ClearScore should have a duty of care to keep peoples personal and private information safe, regardless of how much effort the individuals put into doing that themselves. In this instance no email validation was forthcoming, because it would have come to me and I could have either ignored it or responded that the address was wrong.
The idea that 'a slight variation' of an email address is enough to get ClearScore to create an account is quite frankly laughable. A computer doesn't say 'oh well, it's not quite the name that was entered but it's close enough, we'll work with that'. I'm also quite taken aback that the person I spoke to doesn't appear to have an concern about the breach of the Data Protection Act; I wonder if they are going to contact my namesake and let him know what they've done - or rather not done? All they seem concerned about is getting me to set up my own account. Somehow that's not going to happen.
I have emailed back to the contact at ClearScore to seek clarification and have yet to get an answer. As soon as I have, I'll let you know, and in the meantime, if you are thinking of joining a service, do make sure that a)you put the right email address in and b)the company actually validates it before letting you do anything.
Edited to add:
I've had a response from ClearScore. They can't/won't tell me if they are contacting my namesake, which is fair enough I suppose as long as they do. They go on to say:
"With reference to your first point - "does Clearscore use some sort of pattern matching, and if so, does that happen on a regular basis", when a user registers for ClearScore, they are requested to enter their email address. This is a manual process which the user must enter. We have a background check which makes sure the email address is valid. This prevents most typos, for example if a user types firstname.lastname@example.org instead of email@example.com, we will alert them to this. Unfortunately, in a very small number of cases if a user types an email address which is valid, this may allow them to register under this address."
So basically, apart from checking a mangled email address THEY DON'T VALIDATE EMAIL ADDRESSES! They go on to say "I have been discussing your case with our security and tech teams and we are currently brainstorming additional ways we can prevent something like this from happening in future." Here's a clue: VALIDATE EMAIL ADDRESSES! This is not hard, nor is it difficult, and it's not exactly rare. It's quite unbelievable.