KCP&L warned of scam calls while disclosing customers’ phone numbers online

KCP&L recently warned customers about bill collection phone scams. It failed to say that the company’s own website had been making their phone numbers freely available.

A customer discovered the disclosures during the widespread service outages that struck 100,000 area residents last month.

The Star verified what he had found. Type an address into KCP&L’s online form to report a power outage, and after a couple easy clicks, the site automatically provided the primary phone number on the account.

The website made no effort to identify who was reporting the outage and thus, who was seeing the phone number, whether it was unlisted or a cellphone.

Experts saw the disclosure as potentially helpful to scammers.

Checks turned up phone numbers in much of the 43-county area KCP&L serves in Missouri and Kansas. The company has 753,500 residential customers and nearly 100,000 business accounts.

One of them, Stephen Cook, confirmed that the number The Star found for his account was his cellphone. And that bothered him.

“I am concerned whenever people can access my information,” Cook said. “This is my cellphone. The company should be taking care of our personal and private information.”

The appearance of the phone numbers on the outage forms was legal under state law. And it was no accident.

KCP&L designed the outage form to work that way, spokeswoman Katie McDonald said. Autofilling the phone numbers made reporting outages more convenient for customers. Anyway, she added, phone numbers generally are available online.

Some other area utilities’ outage reporting systems also disclose some information.

Last week, after an inquiry by The Star, KCP&L disabled the feature that automatically filled in the phone number. It means residents reporting this week’s storm-induced outages had to provide a contact number to receive updates.

“It’s tough to design a system to serve everyone,” McDonald said.

Fraud concerns

Like KCP&L, the Platte County sheriff’s office recently reported scam calls purportedly in its name.

It warned residents that a fictitious “Sgt. Jackson” and “Deputy Jackson” were calling to demand payment to settle a warrant for missing jury duty.

The fraudsters gained credibility in part by citing the address and phone number of not only the sheriff’s office but also the intended victims, said Sgt. Jeffrey Shank.

Shank said he was uncomfortable learning that KCP&L had been making phone numbers available.

“That is definitely a potential source of them (fraudsters) gathering information that people may not want out there,” Shank said. “I would have the same concerns. I’m a KCP&L customer.”

Scammers certainly seek information through illegal means such as hacking. They also may reach targets through robo dialing equipment that dials numbers until one answers.

KCP&L’s online form drew attention, in part, because it paired up bits of information, which is valuable to fraudsters.

“You should not be able to type in somebody’s address and get a number, because that number could be your cellphone,” said Naeem Babri, president of the Information Systems Security Association’s Kansas City chapter. “There is a fraud issue for sure.”

Linking bits of information in this way validates that they belong together. Scammers would know their potential targets likely provided KCP&L the information and may keep it current. The site’s online reporting form also provided the first four letters of the last name on the account, offering partial confirmation.

Babri said scam artists often use multiple sources to assemble a profile on possible targets.

“Fraudsters are very smart now,” Babri said. “They slowly collect data because that does not raise any questions. When they collect everything, then they go full-blown.”

KCP&L said it detected no wave or surge of hits on its outage report form page from any one source that might have suggested an effort to retrieve phone numbers.

Tug of war

Any group that collects information on individuals faces decisions about how to handle it in the increasingly digital relationship with customers. It amounts to a tug of war between convenience and control over information.

“A lot of organizations have good intentions,” said Barry Cooper, vice president of marketing at Fishtech, a digital security company based in Kansas City. “They’re trying to make a good customer experience. ... And maybe (they) aren’t thinking through some of this disclosure that may be in place.”

Checks found some degree of disclosure at other area utilities.

Much of Kansas gets power from Westar Energy, the Topeka-based utility that is trying to merge with KCP&L’s parent company, Great Plains Energy.

Westar’s website required two pieces of information, a phone number and ZIP code, to report an outage. Only then did the site provide an address connected to the account. The site used to require an account number, usually not handy during an outage.

“We’re trying to keep a careful eye toward balancing convenience and privacy,” said Yvonne Etzel, a spokeswoman at Westar.

Independence Power & Light serves 57,000 mostly residential customers. Customers report outages by phone. The computerized system asked for the phone number of the account with an outage and then provided the address.

Meg Lewis, public information officer, said the system quickens the response to an outage and allows no access to other information. Customers can set up a password on accounts, and about 200 have.

The Board of Public Utilities supplies power and water to more than 50,000 customers in Wyandotte County. It had reported utility bill scam calls in May. Its customers must use the phone associated with an account to report an outage, communications officer David Mehlhaff said.

BPU’s online contact form also allows a customer to report an outage. It requires first and last names, an address, a phone number and an email address to send a report. More required information means more effort to report an outage.

“We’re constantly asking customers to make sure we’ve got their current phone number on their accounts,” Mehlhaff said.

At KCP&L, the outage report based on an address needed a phone number so the company could ask questions and offer updates. McDonald said customer focus groups liked the autofill phone number.

“My team on Facebook was dealing with a customer who appreciated our outage form and specifically appreciated the phone number being populated because they couldn’t remember what phone number they had put in there,” McDonald said.

Nothing personal

Legally, the disclosure of phone numbers is fair game.

Missouri and Kansas laws define “breach of security” or “security breach” and what constitutes “personal information.” Phone numbers don’t count, said Kara Larson, KCP&L’s lead corporate counsel. And that true’s about cellphone numbers.

Kansas law, for example, calls it a release of personal information to link a person’s first name or initial and last name with a Social Security number, driver’s license number, financial account number, credit or debit card number, access code, or password to a financial account.

Larson said the same goes for personally identifiable information, or PII, which is a phrase the information security industry uses and that she said equates to the states’ use of “personal information.”

KCP&L’s privacy policy in place during the disclosure of the phone numbers treated the issue differently. It specifically counted phone numbers as “personally identifiable information.”

“You may be asked for additional personally identifiable information, such as telephone numbers, account information or other information during the registration process,” the policy said.

Upon hearing KCP&L’s privacy policy, McDonald said it may need to be updated. The policy statement has changed. It now says customers may be asked for additional information, having dropped the phrase “personally identifiable information” before offering telephone numbers as an example.

By disabling the automatic phone number fill-in, the company took what some saw as a meaningful step toward privacy.

Jeff Lanza, who operates a security company in Kansas City, noted that most landline phone numbers can be easily found through telephone directories and reverse-address websites.

“But there should be some way to prevent” having unlisted or cellphone numbers revealed, Lanza said. “Maybe the form should require people to put in their own phone numbers” or another personal identifier.

This story was originally published August 24, 2017 at 7:00 AM with the headline "KCP&L warned of scam calls while disclosing customers’ phone numbers online."