Indian Call Centre Worker Sells Customer Details

lxt writes "A British tabloid newspaper managed to buy the personal details of over 1000 bank customers from an off-shore call centre based in Delhi. An IT worker at the call centre handed over details at £4.25 per customer, as well as credit card numbers and account passwords. He claimed could sell over 200,000 account details every month. The British police force has passed on details to Interpol and the Indian authorities, in an attempt to prosecute the individual. The BBC is also covering the story."

Lowest bidder indeed

[tomstdenis]

Looks like someone in India is trying to improve their "standards of living". Now either people in India/China/etc get paid more or there is just going to be more people stealing.

In other words, "the jig is up".

I'm not saying "people from India are criminals". I'm saying someone [anywhere] who is paid like shit to do a job is likely going to try and supplement their income. This could [and has] just as easily happen in Canada or the states.

Tip of the iceberg...

Tom

Re:Lowest bidder indeed

[metlin]

Well, this is where big companies come in.

At the peak of the outsourcing boom, people were outsourcing to just about any random company without running through their credibility or history.

As a result, they ended up having contracts with people who didn't care all that much about their data, or what it meant. This is another example of why that's so screwed up.

Now, things will even out. All the smaller outsourcing firms will lose out and only the big players will remain - they may charge more, but they also pay more and will usually have procedures in place that will prevent this sort of thing.

This is a good thing, because things will even out, some may choose to go to another firm, or some may come back here to the US. Either way, the market will eventually stabilize.

Re:Lowest bidder indeed

[BewireNomali]

I knew two guys in college who got by on credit card scams. Those were the days when the nameless university (NYU, cough) thought it cool to put part of your social security number in your student ID number. The smart guys could derive the rest, and everyone is but a drunken night away from divulging their whole life story, so, guy #1 was caught and convicted to 11 years for credit card fraud.

The second guy had a girlfriend who worked at a neurologist's office. Most of the patients are old with degenerative conditions. When a patient would die, the girlfriend would pass on the info, and he'd get some cards, max em out, and throw them away. He's actually a pretty successful guy now. don't think he's with the girl anymore though.

All of which is to say - the problem is ubiquitious. Corruption is inherent with the humans dealing with the data, but I can't help but think that there must be a better way of dealing with financial data to prevent theft.

I'm torn, because with increased attempts at security come fewer freedoms. Pretty soon you'll have to give up the Gattaca drop of blood in order to buy movie tickets. I'm not sure if that makes the world a better place.

Not Just in India

[ehaggis]

I know many will make the claim, "It's because it's in India with low paid workers." Let's remember the news in the US this year. How many breaches of security (CitiGroup, FDIC, Lexus Nexus, more have resulted in lost or stolen personal information in the United States of America? How many of these breaches were by high paid workers? It is not a matter of where or who lost or stole information. The core issue is the ignorance of the value of information. Personal information is the new commidity and big corporations have not had the epiphany or received the memo saying so. When they and consumers realize there is real money at stake, all will stand up and take notice.

running from a guy with a gun

[dindi]

when I arrived here to Costa Rica first, to set up some network stuff and firewalls, I was told that the previous tech was chased by the neighbour outside with a gun in hand because he stole casino player data ....

well, before you think that it was your average latino guy that carries a gun i have to tell that it was a US businessman who operates a casino here ...

well I think if instead of the police, some big guy chases you down the street with a gun every time you touch data that does not belong to you - really makes the point ... and would keep people selling other's sensitive info ...

"where there is gambling, there are criminals"

I've worked in a call center

[PsiPsiStar]

I've worked in a call center in the Philippines. For background, the Philippines is another popular call center location for US companies since there are fewer accent problems and the culture is remarkably American. The Phils is a better location for call centers than India, excepting the technology related fields, though the pool of workers with the proper skills is close to exhausted for the time being.

Anyway, at one point, a guy used someone's credit card to buy roses for his girlfriend. That's below criminal, and into the "just plain stupid" range.

After that, the company locked down everything. No cell phones on the floor, etc. Reps who regularly deal with sensitive e-mail don't even have access to e-mail. Access to sites like Yahoo is blocked from their computer and I'm not sure what else

While all activity is monitored, last I heard they were looking for a way to automate their search for suspicious behavior. (scanning logs for when a user opens notepad and types a credit card number. Probably not too hard in Perl, but I don't know the language.)

People talk about lower standards of living in other countries, forgetting that this is partly made up for by the fact that it's a lot CHEAPER to live overseas than in the United states. So while poverty in 3rd world countries is rampant, if you pay someone a halfway decent wage, the money goes a long way there.

And when you get down to it, it would be pretty tough to run a call center in the US staffed with college grads, like you could do in the Philippines, and keep it open 24 hours a day.

The fact that it's harder to prosecute people overseas is a problem. The company I worked for was based in the US, though, so it was still liable under US law. And I think that the company's potential liability was a selling point with potential clients.

Of course, one element in every crime is opportunity. The black market in the Philippines seemed much bigger than in the states which should increase the opportunity to sell things a person shouldn't be selling, be they pirated DVDs or CC#s

Re:DPA (1998) Breach

[Colin+Smith]

There are things which can be done, as other posters have mentioned, segregation of duties and access, data obfuscation to minimise the kind of damage done. Sounds like none of that was implemented.

" in addition to the laws currently on the books, that they should get extended to provide real penalties to companies and people in breach."

Absolutely. A law without enforced penalties is a waste of time and money. There *has* been an offence against the DPA here, the customer data is evidence. The law requires proactive implementation of safeguards to stop it happening, though it doesn't specify what those safeguards should be.

At the moment, people found guilty of an offence can only be fined a maximum of £5000 (Per offence?). I think that we need prison as an option.

Everybody has it sort of sideways

[arete]

The disease is a lack of responsibility of all kinds across our culture. Corporate execs should be personally responsible for known bad practices followed for slightly financial gain on their watch, for instance - a sense of good practices would then be taken personally by those officers.

This is a problem exacerbated by outsourcing and also one reason FOR outsourcing this sort of thing. But it is not a problem particular to _offshoring_ - the problem is with companies' belief that contracting the work gets them free from responsibility for managing the safety of their customer's data - which they aren't very good at anyway. Offshoring makes legal enforcement trickier, but that's really not nearly the prime problem here.

What you need is a legal system providing substantial penalties to the banks - or anyone else collecting similar information - if they "lose" your data. These penalties should start with statutory minimum class-action penalties which automatically increase over several years and then add corporate officer liability in cases of negligence, not just malice.

Then, offshored or not, outsourced or not, they'll FIND a way to keep your information safe.

Re:Lowest bidder indeed - about your own morals

Well, he went to NYU so maybe he grew up in NYC. Some cities/neighbourhoods impress their culture on you as much as going to a seminary school everyday would. "Don't snitch if it ain't your business" is an evolutionary-enforced survival instinct in crowded urban areas.

Besides, those may have been childhood friends. You don't rat out a mate especially when you know he'd be facing +10yrs and shower rushes.

I had my place broken into once and completely trashed while I was on vacation. They caught the kids (well, over 18) and put one of them on trial for it. I had a chance to speak before sentencing and the prosecutor had told me the judge was a hardass who hated vandalism and this guy was looking at 2-4yrs. But when I saw him - skinny, poor, terrified - I just couldn't do it. Got up and asked the judge to give him a community sentence and downplayed the effect it had on me and my gf (boy, was my gf furious w/ me). The punishment had to fit the crime and I didn't want this guy getting raped (bad prisons in my area) over a couple of thousand dollars. Long story short, kid got suspended sentence, I forget about it until nearly 10yrs later when I met him on my university campus where he enrolled after eventually pulling his life together. I've got no regrets and would/will do the same again.