Here’s a story from a local institution that had a budget problem. One department found that they always overspent their budget but no one could ever find out why. Eventually a new person joined the staff and decided to solve the mystery, and discovered that the money was leaking out of the department because a completely different department was using it to pay for their office supplies. And how was that possible? It seems that the institution assigned budget numbers in numerical order. A simple clerical error, getting one digit in the account number wrong, allowed one department to drain money — for years — from the budget of a different department.
Now imagine the same thing happening at your company before you introduce automated account information. Someone speaks to their customer service representative (or to you) and you have a conversation. If they give you the wrong account number, it’ll be clear fairly rapidly what the problem is. And if someone calls and tries to get information about a competitor’s account, you’ll figure that one out pretty quickly as well.
After you introduce automation, what prevents a caller from calling in and trying account numbers in sequence until they hit one that works? What if the caller is attempting fraud, or is attempting to access competitive information (about you or your customers)? And what if they make an honest mistake?
As a best practice, whether you have automation or not, the account numbers you assign should not be simply sequential. The most secure method is to assign a random number to each account. If that’s too complex, you might consider adding a single random number to the end (or the beginning, or the middle) of sequential account numbers. Or you can use one or more random digits and add one or two additional “checksum” digits, which is the method used by credit card companies to prevent people from guessing or confusing credit card numbers.
Is this a big change? Yes, it is. Is it necessary? Good question. Unless my company had a history of making accounting errors based on incorrect customer numbers, I wouldn’t bother switching old numbers for new ones, but I would start assigning new numbers with a little more care. If my company does experience problems — fraud, errors, and the like — than of course it pays to make corrections. And if my company safeguards important information for customers, such as medical records, I would be very cautious. I can’t speak to the legal requirements, but if an inexpensive change (and this change might be very expensive in some cases) can help protect against privacy violations, that’s what I would choose.