Flaw allowed man to access private information of other Brinks Home Security customers

A Canadian man has revealed that the company he chose to provide security for his home was carelessly exposing the private information for other customers, even after he warned them about the problem.

When Edmonton-based Andrew Kopp had the Brinks Home Security system installed at his house he thought he was doing the right thing to protect his home and family, but - he discovered - he might actually have been unwittingly putting his personal information into the hands of online fraudsters and potential thieves.

Kopp was shockled to see that he was able to view the information of over a hundred other customers when he logged into his online Brinks Home Security account while trying to troubleshoot a problem with some door sensors.

Information Kopp could view about other customers included:

• Names
• Addresses
• Emergency contacts
• Cellphone numbers
• Payment history
• Details of the security systems protecting their homes

Kopp stumbled across the flaw in early 2022 and reported it to Brinks, and assumed that it would be quickly fixed.  However, as CBC reports, the problem was still present in April 2022.

Kopp reported the problem to Brinks again, and waited a few months before calling Brinks once more in early July 2022.

The problem had still not been fixed, and realising that his warning was not being taken seriously Kopp recorded his call with Brinks's customer service department:

"It's a huge customer information problem, which is why I need to speak to a manager."

Despite being promised he would receive a call from Brinks management, Kopp never received a call back, and he eventually enlisted the help of CBC's "Go Public" investigatory TV show to dig into the issue.

It was only when the media had got involved that Brinks owned up to its failure, claiming that "less than .01% of Brinks Home's total customer base had the ability to view the contact information of a small subset of other customers."

Brinks further said that "the nature of the data that was visible did not require a customer notification."

I'm not sure I can agree with that.  When it comes to something like my home's security I would want to partner with a business that was not only defending my home but that was also safeguarding my personal information.

And as for the failure for anyone at Brinks to contact Kopp about his discovery?  Brinks blamed that on their hired-in customer service rep:

"The third-party customer service representative who spoke with Mr. Kopp unfortunately did not follow the proper protocols and procedures required by Brinks Home when an escalation is requested by our customers. Once we received Mr. Kopp's direct email in September, the Brinks Home team moved quickly and addressed the issue within 24 hours with no impact to our service. We have since reinforced our protocols and trainings with the representative in question to ensure compliance with our escalation procedures."

Brinks says that no financial or banking information was visible as part of the incident, and that (as far as it knows) Kopp was "the only customer that accessed other customers' information."