Before You Hand Over a Business Mobile Number, Do This First

Someone leaves your practice and their work mobile number gets reassigned - either to a new staff member or back into the pool with your carrier. It happens all the time. What most business owners do not realise is that the old number is probably still connected to a dozen or more accounts: cloud apps, supplier portals, banking alerts, Microsoft 365, even multi-factor authentication codes for your own systems. The next person who picks up that number can receive all of it.

A 2021 Princeton University study found that 66% of mobile numbers listed as available by major carriers were still connected to active accounts on sites like Amazon and PayPal. The former owner had handed the number back. The carrier had reassigned it. But the accounts never got the memo. For a professional services business, where client data, financial systems, and legal communications all flow through staff devices, that is a serious exposure. IT support for professional services firms can help ensure these exposures are identified and addressed before they become a problem.

The specific risk worth understanding is multi-factor authentication, or MFA. MFA is the extra verification step - usually a code sent by text - that protects accounts even when someone has a correct username and password. It is a good security layer. But if that text goes to whoever now holds the old number, they can use it to reset passwords and get into accounts your former staff member was still connected to. That includes anything they accessed on behalf of the business. Understanding why MFA failures lead to entirely preventable breaches is worth your time if this is new territory.

Fixing this properly requires working through several layers. Online accounts and cloud applications need the number updated - and there are usually more of these than anyone initially expects. Social media profiles, supplier portals, and any service that sends text notifications all need attention. Then there is the MFA check: every account that uses text-based authentication needs to be reviewed to confirm codes are going to the right number, not the old one. Finally, it is worth scrolling back through the message history on the old device before it is wiped - you will almost always find a service or two that nobody remembered to update.

None of this is especially complicated, but it does need to be done systematically and before the number is reassigned. The problem is that it rarely is. Most businesses do not have a documented offboarding process that includes mobile number deregistration, which means this step gets skipped every time someone leaves. There are also unexpected ways hackers get into business accounts that a proper offboarding process should also account for.

If your business handles client information - health records, legal files, financial data - the NZ Privacy Act 2020 puts an obligation on you to take reasonable steps to protect that information. A recycled mobile number that still receives MFA codes for systems holding client data is not a reasonable step in the right direction. More on how healthcare IT support and legal IT support handles data obligations is available if your sector carries specific compliance requirements.

The practical answer is a proper offboarding checklist that gets followed every time a staff member leaves or a number changes hands. Your IT support should own that checklist and run it as a standard part of any staff departure - not something you have to think about or remember to ask for.

If you are not sure whether your current setup covers this, ITstuffed offers a free 15-minute IT Fit Check for Canterbury businesses. It is a quick conversation, not a sales pitch, and it will tell you where the gaps are.