I just received another call from "Symantec Customer Service" looking to ask me these questions agao. It was a different woman this time, so I asked her for phone number, email address, or anything to prove she was calling from Symantec. She said she was calling from the UK customer service center and could not receive inbound calls and did not have an email address. I explained to her my concerns with answering any of her questions, especially since the calls come in with a blocked number, and said she understood and would remove my name from the list.
Now I asked her very specifically if she was a Symantec employee or with a third party company, and she stated she was a Symantec employee. When I questioned her on what versions of Symantec software we were running, she said 2010 (we are running 2010 R2 now - she might not even know there is a difference) and her records stated we purchased it from CDW which is correct.
So now the possibiliies here are
1) The call is real, and Symantec - a secrurity company - simply doesn't have it's act together when contacting customers and asks them for confidential information that would be a security risk to divuldge. Symantec is also asking for this info without any method of proving that it is actually a Symantec employee who is calling on behalf of Symantec.
2) Symantec hired a third party to make these calls.
3) Symantec was compromised and third parties are making these calls unbeknownst to Symantec and for unkown reasons.
4) CDW sold this info and third parties are making these calls for unkown reasons.
5) CDW's systems were compromised and third parties are making these calls for unkown reasons.
I understand Symantec is a large organization, and the ass often doesn't know what the elbow is doing, but somebody there should know if these calls are legitimate, and if they are, somebody from the security department should have a meeting with the customer service or marketing department to discuss "appropriate" questions. This situation is no different than somebody calling me from a blocked number and claiming to be from my bank, asking for personal information that they should either already have or is none of their business, and being unable to provide me with any proof of who they are or a means to contact them back through offical bank channels. And the result is the same - "Goodbye" - <click>.