> Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS (@virginmedia)
> There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. [0]
Well, they're not admitting what they do is in any way unsafe, but it really seems like a cut-and-dried GDPR violation.
They really haven't met even the spirit of:
> Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Perhaps users can pay their bills by leaving a bag of cash in the park with "Virgin Media" written on it, as it would be illegal for anyone else to take it.
In my experience it doesn't make much difference whether you pay the bills or not.
They sent me to a debt collector more than a year after I had closed my account, for something I didn't owe them (it was a bill for services after I had closed my account and been physically disconnected). When I tried to talk to them about it, one of their call centre managers eventually admitted to me that there was no public number that could get me through to a call centre that had anyone able to sort it, or anyone they could transfer me to who could sort it, so I might as well stop trying and sue them.
I got it sorted by tracking down one of the company executives home contact information and calling him about it. I harrassed him considerably less than the debt collectors harrassed me.
The relevant law is the Postal Services Act 2000, section 84(3)
If the letter has already been delivered, maybe to the wrong address, it's only an offence to open that letter if you have the intent to cause detriment and you don't have an excuse to open it.
"Hey this looks important and I wonder who it's for" is a reasonable excuse to open the letter.
> 3)A person commits an offence if, intending to act to a person’s detriment and without reasonable excuse, he opens a postal packet which he knows or reasonably suspects has been incorrectly delivered to him.
Try telling this to a cop who’s itching to arrest you - back-chat and “being clever” is never appreciated.
My 93 year old neighbour had had people using her address for insurance fraud - I’d spotted the huge pile of unopened envelopes in her kitchen, all sent to her address but with random fictional names. Asked her if I can open one. “By all means,” she says, “I just use them as kindling anyway.” Car insurance policies. Hundreds of them.
So, I did what I thought was the right thing, contacted the fraud line.
A few days later this cop appears, not to investigate the fraud, not to console my neighbour - but to threaten both of us with prosecution for opening letters addressed to someone else - and that was the end of that. Never mind that they were going to her home - if it’s addressed to Miss Xfrjjtgvyes Bstgbfwss then only she can open it. I don’t care that she sounds made up. You don’t know that. How do I know you aren’t made up? Watch that tongue, son.
I ignored him and phoned dozens of insurers on her behalf, didn’t bother the police again. They take opening someone else’s mail, even a fictional person, far more seriously than, say, £30,000 of fraud.
> There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. [0]
Well, they're not admitting what they do is in any way unsafe, but it really seems like a cut-and-dried GDPR violation.
They really haven't met even the spirit of:
> Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
[0] https://ico.org.uk/for-organisations/guide-to-data-protectio...