Slashdot Mirror
Private Data Sold From Indian Call Center
Matt Freman writes to mention a ZDNet article on reports that private data is being sold out of an Indian call center. A U.K. television programme, 'Dispatches', follows a 12-month investigative report on illegal privacy-related activities. During the taping of the show thousands of U.K. bank customers had their personal information sold by the staff of a call center. From the article: "Indian IT trade organization Nasscom criticized Channel 4 for refusing to show it any of the footage before it was broadcast on Thursday evening. It urged the program makers to cooperate in rooting out and prosecuting any 'corrupt' call center workers. 'The whole issue of data security is a global problem,' said Sunil Mehta, a vice president at Nasscom. 'There are bad apples in every industry around the world, and these incidents happen in India and the U.K. This is not a widespread problem in India. Security measures and practices that Indian companies have are the best in the world.'"
Also, I always wondered why companies that outsource are assured their trade secrets are not sold too.
Thus, the people who know they are making a great deal less than people in the UK or US feel that they are doing this to equalize themselves. It is a psychological phenomenon. People don't just want to do well, they want to do better than others.
Of course, there isn't any reason to believe that private data couldn't be illegally sold in the UK... or in the U.S., or France, or Canada, or Germany, or Japan, or whereever. In fact, data theft has most certainly happened in all those countries!
But you are going to have a salvo of posts demonizing India as a place to do buisness. People with either a xenophobic agenda, or a protectionist agenda will jump on this with the whole "India is evil! Don't outsource to India" paranoia and hysteria, when in fact there is no reason to believe your data is more secure anywhere else.
It's good to know that there isn't anyone in America who'd do the same thing...
While I'm no fan of offshoring, in all fairness, it is true that data theft as described is not a problem unique to India. The real question is, how are these things handled by the courts and laws of the countries in which they occur? If there is some assurance that perpetrators will be brought to justice and things put to rights, as much as possible, then it may not be as big a deal. However, if the courts or laws are weak/corrupt and the penalties associated with data theft are laughable compared to the benefits, then you have a big problem. Many companies have been attracted to India and other countries by relatively cheap labor, but they really need to look at the rule and culture of law in any country they plan to do business in as well. This of course assumes that they are truly interested in benefitting the customer and haven't just added in data theft as a cost of doing business.
To the making of books there is no end, so let's get started
A related atricle on BBC.
http://news.bbc.co.uk/2/hi/business/5405438.stm
Not every Indian is necessarily corrupt. However, even an handful can ruin the reputation of the entire bunch. The Indian Govt. has to crack down really hard on the people caught seeling the data.
PS: I am an Indian too...
"Not every Indian is necessarily corrupt. However, even an handful can ruin the reputation of the entire bunch. The Indian Govt. has to crack down really hard on the people caught selling the data."
Substitute "American" for "Indian" in that sentence. Then start going down the line with other countries. P.S. I am an American too.
Where were you when the voynix came?
It's that it is beyond the reach of local law enforcement which complicates things.
Let's say that the same crime happpens locally. Local laws are applied against local criminals. If I recall correctly, the last time this issue was discussed, "identity theft" and related fraud weren't necessarily a crime in India or at least they didn't have the same level of urgency out there. Whatever the case, there is no guarantee that the handling of these problems would reflect the same level of justice as it would locally due to disparity of law enforcement priority, communications among law enforcement, etc.
On the other hand, if we had some sort of international treaty regarding these matters, that might balance out the problem. For example, all employees of these call centers should be made to operate under the laws of the city, state and nation of the company they are representing and if they are suspected of being in criminal violation of such laws, they should be extradited to the city, state or nation for criminal prosecution.
But in my opinion, that wouldn't really be enough. These people are simply too far out of reach to be held accountable. I just feel like we're at risk having some rather critical information exported to other countries for processing where our laws and regulations do not necessarily apply. It's bad enough when it happens here on our own soil, but at least we can take SOME action against it. Internationally, it's just all the more complicated.
last night, people were selling amazing amounts of information. One person claimed (and showed a recording as proof) to have actual voice recordings of people handing over credit card and security numbers...
Whilst this might be just a few bad apples it does make the whole sector look bad, and I'm not sure I want to be giving my card numbers to compainies who outsource so readily without checking fully what staff are up to.
Interestingly though was the response from the banks, which amounted to "so what". They really don't care. Whenever someone is a victim of fraud through these, or other, means they simply pay up and give the customer their money back, which apparently is cheaper than making sure that it doesn't happen - besides not everyone will notice, and they profit from the people who are scammed and don't notice
*''I can't believe it's not a hyperlink.''
"I work at an outsourced customer support company. The policies where I work is if your caught abusing the information you get, you get fired. Simple as that"
Is it easier to fire the bad guys there because you are less likely to have a crooked lawyer come up out of the ooze and file a frivolous "wrongful termination" lawsuit? I know that is a problem in the US.
Where were you when the voynix came?
I saw this coming last year when several banks here stated they were moving many services unrelated to call centers, out of the US for financial reasons. It would appear that people generally don't care about others, which is only exacerbated by national identity detracting from emotional identification. What does an Indian care about some schmuck from the UK? About as much some guy in the UK cares about an Indian.
Then again, it could be argued that by sending financial services to the lowest bidder, banks are encouraging wholesale fraud. It's probably a combination of many factors, these only being the low-hanging fruit. I'd like to think banks would be more responsible with our money, but apparently charging outrageous interest rates on loans and transactions isn't enough of a profit.
Read: Rabbit Rue - Free serial nove
Amen. We just recently had an esoteric problem with Windows and roaming profiles where in about 1% of the logons, the user's perms to their user hive in the registry would be removed, preventing any GPOs from applying. After two weeks of debugging and not being able to faithfully reproduce it, we called microsoft and paid for an advanced support call to troubleshoot mission critical issues. This is one where "senior management" is allegedly notified of your issue.
We never got out of India, as evidenced by the emails that went back and forth and their origin (you can't always judge by accent because there are Indian citizens working domestically). However, as you stated, the ability to understand what they were saying was enough to drag each call out to twice as long as it should have been.
Then there's the quality of the "support." We were treated as if we were Grandma with a PC problem. We provided clear userenv logs and asked specific questions like "What causes migratent4tont5 process to invoked? What exactly is it checking for since we have no nt4 machines left?" No answers to our specific questions. Instead we got "advice" like.
After a while the case person stopped returning our calls and their email started bouncing. Emailing the manager on record for this also bounced. Seemed like their email server was having problems.
They never followed-up on the call. After another week we found out what the problem was. If the ProfileList HKLM key didn't match what local cached profiles of roaming profiles exist on any given machine, it *sometimes* triggered this process that ended up changing the ACLs on the user hive preventing GPOs from being set. Solution was a machine startup script to check that list and remove any entries that conflicted.
They never even hinted to us where to look. We just found it through a heck of a lot of trial, errors, and observations. As far as I know, over a month later, the case is still open with them. They have never bothered to follow up. Then again, they probably closed the call with some lame excuse like "Customer refused to cooperate" (yes, we refused to remove anti-virus from all 2000 of our desktops. It was a stupid suggestion and had nothing to do with the problem at all)
If the company designed its security and auditing correctly, call center employees should never have the ability to do this in the first place. Why are they trusting call center employees with wholesale access to customers' private data? Competent companies will require the employees to provide an explanation every time they access a record, and these will be tied to their phone records to make sure they are only accessing information relevant to their current task. A good audit trail, flagging unusual access behavior, combined with limiting access only to individual records at a time would have stopped these breaches.
Yes, some of these outsourced call centers are inexpensive because they don't do things like this. But you get what you pay for, right?
Don't be too quick to downgrade the parent. His message may seem trollish but his point is valid. They claim that their security measures are the best in the world but they also make other claims that are done purely to make their industry look more appealing to potential customers - not necessarily with any basis in reality(whether that is sales abilities, communciation skills, work ethic etc.). So if one claim is pure marketing then who is to say that the claim regarding security is anything other than an attempt to ease the fears of potential customers?
I don't believe in cuttting corners, I don't think that's a long term strategy. For example, I don't hire people I don't trust. I hear people talking about outsourcing and they mention giving them a part of the non-critical portion of the code. Why bring these people on board who you don't trust? Short term profit? What about long term profit when these people you don't trust steal the rest of your code and compete against you?
Or, since you're just looking at them on a cost basis, paying them as little as possible, they aren't motivated. So their productivity is lower. I believe you should hire people and give them ownership and high pay. That's a long term strategy. All these companies outsourcing right now are going to get a rude awakening down the line.
2 years and no mod points. Join reddit. Because openness is good.
Exactly, whilst I agree my post probably came across as a little too trollish, my point was that comments like that are as ignorant and short-sighted pro-India marketing propaganda as the original article is anti-India marketing propaganda. When many outsourcing companies have been making claims like that (although of course in this case it was a response) is it suprising that western organisations hit back with an equivalent amount of propaganda? In an ideal world they'd all just grow up and avoid spreading any propaganda in the first place ;)
This is just the tip of the iceberg. Consider what happens to code development shipped offshore. It amuses me that businesses with strict non-open source code policies offshore code development because it's pretty much a de facto, if unofficial, grant of open source. It's even worse when people use offshore resources for "secret" prototype development and the such in an attempt to save money on project startup. I cannot think of a worse venue to put confidential new development into.
This problem is a compound problem. First you have low wage workers that are more likely to succumb to temptation of selling such secrets. Second, you have jurisdictional problems - technically you could make a legal claim through treaties and the like, but the hassles and delays would take years and years to resolve and probably give no real satisfaction (this is why I say de facto in the above, even if you disallow something, if there is no real useful legal remedial process behind it, whatever agreed is basically unenforcable). Third, there are cultural problems where intellectual property and consumer privacy are fairly artificial constructs of the legal systems of developed countries.
The bottom line is that this is only going to get worse and I imagine that Western companies will soon face legal liability for outsourcing in two ways:
1. To shareholders for assigning development to offshore resources that results in compromise of trade secrets or the like.
2. To consumers for breaches of privacy and resulting identify theft and the like.
The companies will argue that they entered into contractual agreements with third parties so it wasn't their fault, but I suspect that many of these cases could and will be successfully pressed on the basis of a lack of due diligence, especially against the backdrop of known incidents such as this.
These type of "fear the indian call center" play really well because they hit such a high number of issues.
ID theft- scary, currently a nice hot issue.
Privacy - little recourse for violations,
Offshoring - They're stealing jobs!!
Jobs people don't want. FWIW there are some larger call centers in various parts of North America that are growing.
Indian accents - some people have trouble with them.
Racism - Some people just don't like them even if we solve all the other issues.
This is just cheap shot journalism at an easy target that gets people upset. This same type of privacy violation can and does happen in every part of the first world.
In an ideal world, the SE that gave a realistic estimate of 300 hours would get the contract.
In the real world, the SE who says it will take 150 hours and then extends it to 300 hours for various reasons gets the contract.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
it's the SE who says it will take 150 hours and then extends it to 450 hours for various reasons who gets the contract.
It would be easy for someone to slip in a virus to round off the fractions of a cent in the interest computations and put the remainders in an account.
You just need someone who knows the credit union software to install it.
And the saddest part of this tale is that since the problem was solved (by the customer) after having dealt with the crack MS support staff, I imagine it will appear as a successful resolution for that support center, further legitimizing their use. While in actuality, the customer is completely dissatisfied.
Money talks in any language....
It's left blank because I have nothing to say to you punks!
if you had watched the program you would of seen them talk to UK callcenter employees who could supply the same data, the only reason they went to India was because of the numbers, UK employees wanted 10-50 times what the Indians wanted for each piece of data and they (indians) could supply them in much larger quantities (100,000 fresh details per month) so as responsible jounalist do they followed the big fish not the little minnows
They can not even prosecute clear cut cases of murder, when there is ample proof.
Just a somwhat current example: the murder of Jessica Lal.
The victim, an attractive model, worked at the bar at a friend's party in a fancy restaurant. A son of a powerful politician comes in with his entourage and asks for a drink. She refuses to give him one, because the bar is already closed. The man - offended beeing refused in front of his friends - pulls a gun and shoots her direct in the face.
Numerous witnesses. Ample evidence. OJ Simpson was a mystery compared to that. And yet, after seven years of judical wrangling, the man walks away free (not that he ever spent a day in jail). Witnesses who can not remember anything, a police that just happens to destroy or devalue all evidence - the case stinks of corruption.
Its been a major scandal in India half a year ago. But only because the victim was well known and had many influential friends of her own. Had she been a simple rural woman, we wouldn't even know. Local observers note that affairs like that are standard practice - if you are rich enough in India, there is no law that applies to you, because everybody is corrupt and can be bought.
Don't believe me ? Just google for Jessica Lal, and read the whole sordid story.
I have no doubt about that. But this particular problem I described was very esoteric. Basically, if you get an userenv dump and google for some of the words found in it, you get tens of thousands of matches from other dumps people have posted over time.
The problem was, some of these in the section at issue we googled and got ZERO hits on, meaning no one has seen it before probably. No hits on microsoft's public website.
Which means it probably isn't in the call support staff's DB either. And I bet a huge amount of cash that these call centers have requirements to limit the number of calls they escalate to engineers in Redmond, so they are very reluctant to do so.
In the end, no support for truly difficult problems. The sad thing is, since this string was very unique, if this was open source OS we could have at least searched the source tree for the string and determined what logic happens to trigger that to be outputted in a log file. :-(
All you see is the more careless ones getting caught. Identity theft actvities goes on, even in the US- we just
have a better handle on it so that the sloppy ones don't get very far. In India and elsewhere, you pay for cheap,
they don't give a care about security- what costs is the pay for the labor to be less inclined to do corrupt things
and for the security to ensure that if they do, they typically get caught real quick.
All because of some idiot that has an MBA that thinks he has a solid handle on economics and business thinks that
it'll be cheaper to do this "offshoring" thing- because everyone else is doing it and you can't afford to not do it.
Well, I'm here to tell you that if you can't afford to pay people here in the States (or UK, or Australia, or...)
you probably really can't afford offshoring it unless you get lucky. Offshoring is a damn crapshoot- and you might
get lucky, the odds with you for a while. But, at some point, it comes back to roost and all that money you "saved"
just got flushed down the toilet in liability suits, lost reputation, and reperations to the poor sots that got
screwed by the identity thefts, etc. that comes from it.
Sure, there's sharp people over in India and Russia. Do you think for one moment that you're GETTING those people
when you offshore? If you do, you're fooling yourself. The really competent ones cost as much as they do here over
there. What are you getting when you do the offshore thing? The middle of the crowd at best and the bottom of the
barrel leavings- because they're cheaper.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
The law is being made a lot more stringent, and every person whose personal data has been compromised can get compensation upto 5 crore INR (50 million INR) as civil damages, as well as criminal action leading to fines and/or imprisonment. Under Indian law, any affected individual can bring a criminal lawsuit, without having to wait for the government to intervene.
/ message/2848
http://tech.groups.yahoo.com/group/cyberlaw-india
I can throw myself at the ground, and miss.
This happened to me. had an email adress that didnt get any spam and only used it for internal company communications. Emailed Leadtek one day about a part that needed a replacement, and boom, spam stars pouring in the next day.
All misspellings and grammatical errors in the above post are intentional and part of my artistic expression.
http://jiyocricket.blogspot.com/2006/10/channel-4- call-centre-id-theft-exposed.html
crazy stuff. all ur data belongs to them
We have to realize that this is an inevitable cost of globalization. If we believe that globalization is a good thing overall, then the first world has to adapt too. A country like India has "information services" to offer to the global market and is competing on price. How is this different from any other commodity being traded globally?
So I've heard a lot of anti-India, anti-outsourcing, anti-brown people and so on. Lets go back and clear up a few basic points, the stuff that can be readily checked by spending 5 minutes on google.
Indian call center employees aren't being exploited, they don't go through every day burning with the knowledge that Chuck from Portland makes more money than they do. People need to stop looking at this from their perspective, in America you could barely eat on $5000 a year but in India, where the buying power of one dollar is much much higher than compared to the 1st world, that's enough to comfortably put you into the lower middle class income bracket. There are people who make less than $10 a month. So nobody's doing this out of some misdirected anger at the white oppressors making them slave at their terminals, many Call Centers are Indian companies, locally managed and recruiting from colleges and universities where they can get young, educated people who are doing this as their first job out of school, anything they make is good money.
On the issue of accents: Compared to the level of English the average American high school graduate can accomplish, any one of these people could run circles around you in a literary duel, if ever there was one. We speak with accents because we're not native English speakers, we learn hindi/benglai/punjabi/gujrati/tamil as well as English, and take on the speech patterns of the language spoken most often. So, if you choose to ridicule us because of our accents, know that the average Indian high schooler usually knows 3 languages (at least 2) and can probably understand a couple more, as compared to the American kid who's struggling with his one. And guess what? I bet Shakespeare had a pretty funny accent too ...
Third, and this point has been made already but its worth reiterating, this isn't a local Indian problem. I remember 4 separate instances of large scale personal data theft in the U.S over the last year, and I don't even pay that much attention so there's probably more. So, before you break out the stones, look back at the glass walls you're in.