Our apartment building outsources the billing for our various utilities to other companies. One of the companies recently changed, so I have been awaiting our first bill. When a friend who lives in the same complex informed me he had already received a bill and paid it some two or more weeks ago, I got anxious and the missus said she would call and get our account number, outstanding balance, and try to determine why we had not yet been billed.
When I didn’t hear from her before I knew she had to leave for work, I figured she ran out of time or wasn’t able to contact them so I called them myself. While on the phone I discovered they had only recently sent me my bill. I asked for my account number and login formation. She happily (with no verification other than my name and address) gave me my account number and created a website password for me. The password they gave me was rather flimsy so I logged in to my account and changed the password to something at least a bit better (and that I would remember). While I would have liked them to do a bit more verification to determine who I was before handing out this information, I understand national secrets aren’t stored in my utilities billing account.
Interestingly, the missus called them an hour or so after I did. With no more identification than her name (which is probably not on the account, althought I could be wrong) they happily informed her that I had previously called and obtained the billing information. They also readily gave her the account number and my (new) password. Quite obviously their employees have the clear-text passwords to all the accounts by just punching in an apartment complex and apartment number (and they seem to be quite willing to give these passwords out to almost anyone).
Again, no national secrets here, but shouldn’t they do a bit more before just handing out my account number and website password? I would argue the nice people on the phone (and they were very pleasant, I certainly cannot fault their telephone demeanor) shouldn’t even be able to see my password and at best they should send a “password reset request” to my email.