SoCalGas' Password Policy Makes Passwords Pointless

We’re not sure why a company would bother with offering a password feature on their customer accounts if they disable them without warning 3 months later as a matter of policy, but that’s how Southern California Gas Company rolls. Does it really matter, you ask? It might if you’re a victim of domestic violence.

One of their customers wrote to us:

I am in a domestic violence protection program, and must keep my private information (address, T#, etc.) confidential. One way I do this is by password-protecting my accounts, including my utility bills.

When I called Southern California Gas Company today to find out why it had not changed my mailing address to my protected one, I learned that the Gas Co. had “dropped” my password without notice — meaning anyone with basic information about me could access my account and, with good social engineering, get my street address and T#.

The first rep told me that the Gas Co. drops passwords “after six months,” but then she noticed my account was only four months old. She told me that my password, apparently, was dropped after 90 days. She could not tell me why.

A second rep told me that all passwords are dropped after 90 days, but mine “stayed on for a little more than that” (120 days) “for some reason.” Her supervisor confirmed that SoCalGas drops all passwords after 90 days, but does not notify consumers of this when they initially place passwords on the account. She said they are expected to notice it missing and request it be reinstated for another 90 days.

I called one more time to ask a third rep about this password policy. I did not give my account number, but said I was moving and wanted to know if I could password protect my account. The rep said “yes, no problem.” And when I asked if it would remain intact while my account was active, the rep hesitated, first said “yes,” then said “oh, but there’s a policy that we drop it off after 90 days because we don’t know how long you’ll be living there.”

This is terrible security procedure, and, in my case, places me in danger. It’s unbelievable that a company would drop passwords from its customers’ accounts without prior or current notification.

It wouldn’t be as bad if Southern California Gas Company actually notified its customers when removing the password, or if their CSRs fully understood the policy and gave out the correct information when customers called in. Maybe they feel that it’s sort of unnecessary—but as the customer above can demonstrate, there are certain situations where you really might want to keep your account info protected.

(Photo: Preconscious)