Currys to Newcastle, a cautionary tale
December 3rd 2007 -
Have just had an interesting evening’s “entertainment”. I received a call from a Mr. Bells (not his real name) in Newcastle who had gone to buy something from Currys website via a link on the forum of Martin Lewis’ site, Moneysavingexpert.com. Now I do receive the weekly email from this site but I am not a member of the forum there and have never 
posted. This chap had quite innocently followed the link, added the item (an Archos MP3 player) to his basket and then gone to view it. At this point he was presented with my details: my work address, my home address, my phone number and my email address.
My new friend in the North was perturbed by this and gave me a ring. Initially I was a bit hesitant and suspicious but listened to what he had to say, thanked him and hung up. Once I’d confirmed I didn’t have an account on the forum (I have joined an awful lot of websites) I phoned him back whilst logged onto Currys website. He was very pleasant and explained what had happened again, and I watched (from my end) as he added another item to my basket and applied a discount code (very considerate).
I have to say that I wasn’t completely unfamiliar with the item in question and had looked at it earlier in the day (at work on yet another computer) and added it to my basket, but then thought better of it. I had logged out of the site (I am generally meticulous about this), closed the browser and turned off that computer at the end of the day.
I phoned Currys customer support immediately and spoke to a Chris. He was initially dubious and said there was no way that could happen. He asked if I had ever used Mr. Bells’ computer before. Now, I like Newcastle and have visited there many times, but I have never met a Mr Bells there or anywhere else, let alone used his computer. It was then, when I spelt out the link that Chris managed to pull up my details also, add something else to my basket (I could see this) and I was able to read out the postcode that clearly someone else was typing in order to check stock at their local store (he could see this as well). “S**t its happening now” were his exact words I believe.
He asked for my details so he could open a file on my issue and we had a bit of a laugh <:-| (because he had them in front of him on the website (!)). He then said, after conferring with his manager, that there was nothing that could be done because head office was closed but to rest assured that it would be dealt with first thing in the morning. When I pointed out that that meant that my details would be completely visible to the internet all night and that it wasn’t really good enough he went off to his manager, twice. His manager, I was told, was the only supervisor on duty that night and was too busy to come to the phone herself. But after re-iterating that all my personal details were visible to anyone who tried to buy anything at Currys (for all I knew), and that my credit card details were just a six character password away from this he went to talk to her again whilst I was on hold (this is all at 5p per minute of course)
Eventually R. was good enough to speak to me. All she did was repeat that there was absolutely nothing she could do, she couldn’t block my account but that it would be given priority at 9am tomorrow by head office. She got a bit shirty when I said surely they must have a policy, asking what I meant (they don’t “Its head office who have the policy”). I asked what assurances she could give me but apparently those are down to the mythical head office also. I had to ask her if she thought I should block my credit card (I’d done it already). Reluctantly, believing she really was powerless, I hung up with only her name and a case number. I’ve since managed to make sure I am logged out of the website and have changed my password to a much more secure one.
Kathryn, getting a bit worried at this point, also phoned them and after being fobbed off with the promise of a return call three times (and spending a tenner on hold) finally got to have a go at R. also. She got no further than me however except for the complaints procedure postal address, which I’d already got from the website. It seems that R. really was the most senior person available at that time. Trust me, Dr. Szell would be impressed with Kathryn’s persistance. If there was someone else there, we would have got hold of them.
Now I’m generally quite blase about shopping online and have spent alot of money over about ten years on lots of websites, including Currys. I know quite alot about computer security and generally think I can spot a secure site from an insecure or phising site. I also reason that I’d much rather type my details into the forms of a reputable company over a SSL conection than had them out over the phone to the voice of someone I don’t know. What I can’t believe is that a large company ( I think they’re part of the Dixons group) who sell technology, firstly have dolled out my secure shopping session, including all my personal details to at least three other people (and probably everyone who clicked on the link from MSE this afternoon, these are the ones I witnessed firsthand) and secondly, have nobody on hand to fix such a gaffe (unless it’s during office hours).
I’m not a great believer in the identity theft hysteria either but this evening, I have a nasty nagging feeling. I am going to be careful about the strength of my passwords in future, at one point, when I logged in to upgrade my password I thought someone had changed it from under me, locking me out and them in, with my credit card details.
We’ll see what happens tomorrow and how well Currys customer service deals with it. I still quite fancy that Archos.
And if you get an email, or phone call from me in the near future don’t forget to ask me the secret question ensuring you receive the correct response:
challenge: “The weather in Paris is especially warm for the season”
response: “yes but in Berlin it is unreasonably cold”