Why Doesn’t AT&T Require Email Verification Before Sending Sensitive Account Information?

Image courtesy of Mike Mozart

There’s a reason why companies that handle sensitive billing information may ask customers to verify their email addresses before sending any communications. It’s to prevent customers from seeing things they shouldn’t. So why doesn’t AT&T have such a safeguard in place for its customers?

Consumerist reader Joshua emailed us recently with an issue he was having trouble getting resolved. He received an order confirmation from AT&T for a home security system at an address in Detroit — which is an issue, because he lives in Minnesota. The order contained the person’s first name, date the order was placed, their address, the type of service, type of credit card used, and the amount billed.

“I am an AT&T customer; have been for over a decade. My email address has been on file with them for years now as an authorized user (the account is under my wife’s name),” Joshua wrote. “I was surprised that an account they had on record as belonging to me could be used by someone else without raising any flags.”

Reaching Out

He contacted AT&T using the phone number in the email, and was bounced from a sales rep to the global fraud prevention department. He explained the issue, telling the rep upfront that the email belonged to him, but that the information was intended for another customer.

He told her he didn’t think he should be receiving such information, nor did he think that the other customer would be pleased to know he’d gotten it.

He tells Consumerist that the fraud prevention representative was “incredibly rude and downright dismissive.”

“When I asked her why AT&T didn’t take the basic step of verifying ownership of an email address prior to using it for billing purposes, she flatly stated that AT&T could not and would not do that, as it ‘was not possible’ in the first place.”

Which is odd, Joshua says, considering turnkey services exist for this very reason, and many other businesses will email a unique link or code to the address for confirmation.

“She refused to remove my email from the account, refused to even do so much as confirm that someone would look into the issue,” Joshua writes. “I was really taken aback.”

Going Social

He also vented on Twitter about the issue, and was contacted by a social media manager asking for his email address. He provided it — but then got no response.

A few days later, Joshua wrote to Consumerist with his plight, and we reached out to AT&T that day to ask why the company doesn’t verify email addresses used for sensitive communications. With Joshua’s permission, we provided his contact information yet again.

That same day, an AT&T social media manager replied to Joshua’s direct message on Twitter, apologizing for the delay in responding and asking for his email address (again), and the billing account number or phone number associated with the email.

Joshua didn’t see the message immediately, saying he doesn’t often check his Twitter inbox, as that’s not a method of communication he’s used to using. Besides, he’d given Consumerist permission to share his email address with AT&T AND had shared it directly with the social media rep who asked for it before, so he thought that would be how the company would reach out to him.

He once again provided his email address to the person writing from AT&T’s Twitter account, as well as as much information he could glean from the misdirected emails about the other customer’s accounts.

Apology Without Action

At that time, a rep for AT&T told Consumerist that the company’s policies don’t allow for sharing details about customer accounts in these situations, but said that they were able to “resolve the issue” and would be letting Joshua know that.

“We’ll also apologize for the inconvenience and the delay in getting back to his social media queries,” he said.

That same day, another AT&T social media rep messaged Joshua saying, “We are here to help, Joshua. Your account details are being reviewed. Thanks!”

It’s been a week since then, and Joshua says he’s still receiving email regarding the other person’s account.

“Just got one asking me to set up permits for the alarm to avoid fines,” Joshua writes. “It looks as if AT&T does not care whether or not their customer in Detroit is getting fined or not!”

Joshua says the situation ticks him off, because it’s an example of an otherwise responsible company not taking “basic steps to validate contact information prior to sending personally identifying information.”

That behavior could be dangerous: Joshua notes that AT&T sent him enough information that it would be easy for him to call the other person, pose as an AT&T rep, cite order details, and claim there was a problem with billing, and ask the customer to repeat their card number and confirmation code on the AmEx/Visa/Mastercard/Discover credit card they used to set up the account.

And beyond that, he’s still getting those emails meant for a stranger. What’s to prevent AT&T from sending Joshua’s information to other people as well?

“I would be furious if they made it this easy for someone else to steal MY info, and then refused to take any action when informed of the problem,” Joshua writes.

We’ve reached out to AT&T multiple times since our last communication to ask again, why the company doesn’t offer email verification for customers who choose to have billing and other sensitive account information emailed to them, and have not heard back.

“The burden of keeping my information private should be on the company, not on the consumer,” Joshua says. “I can’t stop people from accidentally using my address, but there is absolutely no reason for AT&T not to check the email before sending personal details — especially when the email in question is already in their system, tied to another account, under a different name, in a different state.”

UPDATE: After we published Joshua’s story, a global fraud management manager for AT&T reached out to us, saying he was “very disturbed by the treatment a valued customer would receive from our organization.” He asked us to pass along his direct confirmation to Joshua, which we did.

Joshua says the manager was “quite helpful.”

“He explained that AT&T will be implementing measures to at least flag issues where addresses are used across different accounts, and ensured that I have his information should any problems arise in the future,” Joshua wrote in a followup email. “He was even nice enough to compensate us for the trouble caused by this issue.”

While we’re pleased for Joshua and hope that these planned measures keep this sort of thing from happening to others, we’re still curious why AT&T doesn’t integrate email verification for sensitive account information regardless.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.