We worked with Sparrow Net to improve its account security process
In September 2019, we notified Sparrow Net* about a possible systemic issue with its account security process for consumers experiencing family violence.
During our investigation we found Sparrow Net’s existing account security process was not always suitable for consumers who were experiencing family violence. Many consumers said the perpetrator was able to access their account using Sparrow Net’s standard verification processes, both over the phone and online. This was because the perpetrator was able to pass the security checks using information they already knew about the consumer.
Consumers also complained Sparrow Net:
- inadvertently sent emails and letters containing personal information about the consumer to the perpetrator
- did not remove a perpetrator’s authority on the consumer’s account when requested
- did not transfer ownership of a service to or from the consumer’s account when requested
- agreed to add a password to the consumer’s account but did not request it in later interactions
We worked with Sparrow Net to improve its account security processes to prevent consumer’s personal information being accessed or disclosed without authority. Sparrow Net stopped using the consumer’s personal information as its main authentication method. Sparrow Net now sends a One Time PIN to the mobile number listed on the account.
*Names of all parties have been changed