Private Data Sold From Indian Call Center

Matt Freman writes to mention a ZDNet article on reports that private data is being sold out of an Indian call center. A U.K. television programme, 'Dispatches', follows a 12-month investigative report on illegal privacy-related activities. During the taping of the show thousands of U.K. bank customers had their personal information sold by the staff of a call center. From the article: "Indian IT trade organization Nasscom criticized Channel 4 for refusing to show it any of the footage before it was broadcast on Thursday evening. It urged the program makers to cooperate in rooting out and prosecuting any 'corrupt' call center workers. 'The whole issue of data security is a global problem,' said Sunil Mehta, a vice president at Nasscom. 'There are bad apples in every industry around the world, and these incidents happen in India and the U.K. This is not a widespread problem in India. Security measures and practices that Indian companies have are the best in the world.'"

How are cases prosecuted?

[weave]

If a worker who works in same country as the company is caught in fraud, they are prosecuted and thrown in jail. If a megacorp outsources off-shore and the employees of that company are involved in fraud, exactly what assurances does that company or its customers have that the perps are prosecuted?

Also, I always wondered why companies that outsource are assured their trade secrets are not sold too.

Re:How are cases prosecuted?

[pete6677]

Most shady people who would sell others' information would not care about being fired from some $7.50/hr call center job. Prosecution is not a big threat either, as rare as it is for people to be aggressively prosecuted for data theft. This is true no matter what country the call center operates in. It's just what will inevitably happen when you farm out important corporate operations to the lowest bidder. Of course they will take shortcuts and of course there will be shady people willing to exploit the situation. The only thing surprising about this article is that people didn't realize the potential for these problems a lot sooner. And the only thing that surprises me about fraud is that it isn't more common, as easy as it is to do. All it takes to succeed is a little common sense is a complete lack of morals.

Its the Economics, STUPID

[Anarke_Incarnate]

When you pay someone a wage, that relative to those of the people they deal with, they will become angry and resentful. The point of moving offshore is to save costs because the cost of living is so low, making the wages low.

Thus, the people who know they are making a great deal less than people in the UK or US feel that they are doing this to equalize themselves. It is a psychological phenomenon. People don't just want to do well, they want to do better than others.

Blame it on India!

[RexRhino]

Of course, there isn't any reason to believe that private data couldn't be illegally sold in the UK... or in the U.S., or France, or Canada, or Germany, or Japan, or whereever. In fact, data theft has most certainly happened in all those countries!

But you are going to have a salvo of posts demonizing India as a place to do buisness. People with either a xenophobic agenda, or a protectionist agenda will jump on this with the whole "India is evil! Don't outsource to India" paranoia and hysteria, when in fact there is no reason to believe your data is more secure anywhere else.

Re:Blame it on India!

[Danga]

People with either a xenophobic agenda, or a protectionist agenda will jump on this with the whole "India is evil! Don't outsource to India" paranoia and hysteria, when in fact there is no reason to believe your data is more secure anywhere else.

There is a reason to believe my data would be more secure somewhere else and for me that would be here in the US. The reason it would be safer is because if someone were to sell my information working at a company here in the US then they would be held accountable to the laws we have against that and they would pay the price because I certainly would go after them myself if necessary. If the person who sells my data happens to be in another country then I would not have the choice to go after them myself and even though they most likely would lose their job their home country may not have any laws against what they did with my information so they could basically get away with it. So while there truly are "bad apples" everywhere there would be MUCH more deterent to sell someones personal information in a country that has laws against it than in a country where those laws do not exist.

I think if I was making $2/hr (I made that up, I don't know what the real number is but I am sure it is low compared to the US) while I knew I was being exploited for cheap labor and was offered a large sum of money in exchange for personal data knowing I would lose my job but not be in trouble legally that I would probably take the money and go hunting for a new job.

Basically I hope that some laws are passed in the US (and other countries) that already have laws guarding personal information to make sure if companies outsource access to that information that they are only allowed to outsource it to a country that has at least the same laws in regard to personal information. The best choice would to not outsource that information at all (so if the company in another country did not persue the employee legally I could do it myself) but at least this way if someone did do something with my personal information I would have some hope that they would be punished more than just losing their job.

Re:Blame it on India!

[dotdash]

I think if I was making $2/hr (I made that up, I don't know what the real number is but I am sure it is low compared to the US) while I knew I was being exploited for cheap labor and was offered a large sum of money in exchange for personal data knowing I would lose my job but not be in trouble legally that I would probably take the money and go hunting for a new job.

A call center employee in India does make about $2.3 dollars per hour. However, I am really tired of people quoting these low Dollar figures for pay, while forgetting to mention that the "low pay" tends to be rather high for the local economy.

Let me give you some estimate of costs and expenses in US Dollars. These numbers are for cities like Bangalore and lie closer to the upper limit. I have considered the kind of restaurants and other establishments a young and hip call-center employee is likely to haunt. In the interest of full disclosure: I am Indian, and am quite familiar with the goings on in India in the IT and BPO fields.

Here is the summary before I give you the details: A call-center employee has the potential to save about 35% of his monthly pay. I wish I could do so in the US. Even by Indian standards, 35% is very good savings potential. For comparison, my sister and brother-in-law live in Bangalore, do not work in IT or BPO, and together earn less than the average call-center employee does. Mind you they both have daily expenses. They also have other expenses (schooling and feeding children mostly) an average call-center employee tends not to: The average call-center employee is single, in early 20s, and quite often not contributing much financially to his family.

With numbers like these, I can argue that call-center employees in India have a lot less incentive to sell out. That is, people in the US might look for "supplemental income" more than an Indian call-center employee does. Now, I don't believe that is so, just like I don't believe the argument that the lower Dollar-wage makes Indians (or other nationals) sell out data.

Here is the deal: For every 100 guys selling data, there is one guy buying it. The buyer shops in India because doing so is less expensive for him. So, how about we also look at where the buyers are coming from and what they do with it?

Average Monthly Numbers

• Pay: $444.44
• Expenses: -$276.75 (Everyday expenses (-$150.9), and rent and other montly expenses (-$125.85)
• Savings: $167.69 (37.7% of income)

Everyday expenses (Note: Call centers in India give their employees free refreshments and free/subidised transportation)

• A cup of coffee at a really fancy coffee house: $0.33 (yes, 33 cents)
• A cup of ice cream at a really fancy parlour: $0.65 (must buy ice cream for the girl that tags along)
• A pack of cigarettes: $1.5 (cigarette smoking seems to be on the rise)
• A full meal at a really fancy restaurant: $2.22
• A day pass on a city bus: $0.56 (though the average call-center employees are unlikely to take a bus: they ride bikes)
• A can of beer: $2.00 (most people don't drink beer everyday, but I list it here in case you are wondering)

Monthly expenses

• Rent: $44.00 (A native is likely to live with parents, and pays well below this number)
• Hair cut: $0.55
• Movie tickets, for four shows: $3.00 (movies are the most popular form of entertainment)
• Concessions at the movies for four shows: $4.50
• Apparel for self: $10.00
• Apparel for the person you are wooing: $10.00
• 10 gallons of gas: $48.8 (yes, gas is that expensive)
• Vehicle maintenance: $5.00

Big-ticket

• A new motorcycle: $1000.00

Courts and Law

[blueZhift]

While I'm no fan of offshoring, in all fairness, it is true that data theft as described is not a problem unique to India. The real question is, how are these things handled by the courts and laws of the countries in which they occur? If there is some assurance that perpetrators will be brought to justice and things put to rights, as much as possible, then it may not be as big a deal. However, if the courts or laws are weak/corrupt and the penalties associated with data theft are laughable compared to the benefits, then you have a big problem. Many companies have been attracted to India and other countries by relatively cheap labor, but they really need to look at the rule and culture of law in any country they plan to do business in as well. This of course assumes that they are truly interested in benefitting the customer and haven't just added in data theft as a cost of doing business.

What can you say

[Garette]

A related atricle on BBC.
http://news.bbc.co.uk/2/hi/business/5405438.stm
Not every Indian is necessarily corrupt. However, even an handful can ruin the reputation of the entire bunch. The Indian Govt. has to crack down really hard on the people caught seeling the data.

PS: I am an Indian too...

It's not that it's everywhere that's the problem!

[erroneus]

It's that it is beyond the reach of local law enforcement which complicates things.

Let's say that the same crime happpens locally. Local laws are applied against local criminals. If I recall correctly, the last time this issue was discussed, "identity theft" and related fraud weren't necessarily a crime in India or at least they didn't have the same level of urgency out there. Whatever the case, there is no guarantee that the handling of these problems would reflect the same level of justice as it would locally due to disparity of law enforcement priority, communications among law enforcement, etc.

On the other hand, if we had some sort of international treaty regarding these matters, that might balance out the problem. For example, all employees of these call centers should be made to operate under the laws of the city, state and nation of the company they are representing and if they are suspected of being in criminal violation of such laws, they should be extradited to the city, state or nation for criminal prosecution.

But in my opinion, that wouldn't really be enough. These people are simply too far out of reach to be held accountable. I just feel like we're at risk having some rather critical information exported to other countries for processing where our laws and regulations do not necessarily apply. It's bad enough when it happens here on our own soil, but at least we can take SOME action against it. Internationally, it's just all the more complicated.

I watched this,

[joe+155]

last night, people were selling amazing amounts of information. One person claimed (and showed a recording as proof) to have actual voice recordings of people handing over credit card and security numbers...

Whilst this might be just a few bad apples it does make the whole sector look bad, and I'm not sure I want to be giving my card numbers to compainies who outsource so readily without checking fully what staff are up to.

Interestingly though was the response from the banks, which amounted to "so what". They really don't care. Whenever someone is a victim of fraud through these, or other, means they simply pay up and give the customer their money back, which apparently is cheaper than making sure that it doesn't happen - besides not everyone will notice, and they profit from the people who are scammed and don't notice

Re:I watched this,

[REBloomfield]

I saw it too, and realised where the three cold calls i recieved earlier this year may have originated from. I was called on my mobile by an middle eastern sounding man or woman, and told that they could move me to a much better contract, and if i was happy they could go ahead and make the change straight away as they had all the details they needed. They hung up when I demanded to know what details they had and where they got them from. Scary stuff; I'm careful with my details, and I haven't bought a mobile 'phone over the 'phone or online like most of the people mentioned.

It was eye opening for my wife, she had no idea how easy it was to commit fraud with a few card details and the CSV number on the back. She doesn't buy anything remotely, so wouldn't know better, but i was shocked that many people could be this open to potential fraud.

Re:Hmm...

[weave]

Amen. We just recently had an esoteric problem with Windows and roaming profiles where in about 1% of the logons, the user's perms to their user hive in the registry would be removed, preventing any GPOs from applying. After two weeks of debugging and not being able to faithfully reproduce it, we called microsoft and paid for an advanced support call to troubleshoot mission critical issues. This is one where "senior management" is allegedly notified of your issue.

We never got out of India, as evidenced by the emails that went back and forth and their origin (you can't always judge by accent because there are Indian citizens working domestically). However, as you stated, the ability to understand what they were saying was enough to drag each call out to twice as long as it should have been.

Then there's the quality of the "support." We were treated as if we were Grandma with a PC problem. We provided clear userenv logs and asked specific questions like "What causes migratent4tont5 process to invoked? What exactly is it checking for since we have no nt4 machines left?" No answers to our specific questions. Instead we got "advice" like.

• It's probably a virus problem.
• Please remove all non-microsoft services from all of your machines. "What? Including our Anti-virus software?" The answer was, yes.
• It's a driver issue with nvidia video cards (we don't have any machines with nvidia cards)

After a while the case person stopped returning our calls and their email started bouncing. Emailing the manager on record for this also bounced. Seemed like their email server was having problems.

They never followed-up on the call. After another week we found out what the problem was. If the ProfileList HKLM key didn't match what local cached profiles of roaming profiles exist on any given machine, it *sometimes* triggered this process that ended up changing the ACLs on the user hive preventing GPOs from being set. Solution was a machine startup script to check that list and remove any entries that conflicted.

They never even hinted to us where to look. We just found it through a heck of a lot of trial, errors, and observations. As far as I know, over a month later, the case is still open with them. They have never bothered to follow up. Then again, they probably closed the call with some lame excuse like "Customer refused to cooperate" (yes, we refused to remove anti-virus from all 2000 of our desktops. It was a stupid suggestion and had nothing to do with the problem at all)

Re:can the fired bad guys sue easily?

[weave]

Fired? That's it? I'm curious of the economics of the crime then. Is it possible that one can earn enough coin by selling information where they never have to work again, and hence firing is worth it?

Call center employees shouldn't be able to do this

[Fastolfe]

If the company designed its security and auditing correctly, call center employees should never have the ability to do this in the first place. Why are they trusting call center employees with wholesale access to customers' private data? Competent companies will require the employees to provide an explanation every time they access a record, and these will be tied to their phone records to make sure they are only accessing information relevant to their current task. A good audit trail, flagging unusual access behavior, combined with limiting access only to individual records at a time would have stopped these breaches.

Yes, some of these outsourced call centers are inexpensive because they don't do things like this. But you get what you pay for, right?

Re:Hmm...

[Lactoso]

GP is blaming Microsoft. Specifically, Microsoft's decision to outsource support to a foreign nation, Microsoft's lack of training of this outsourced support staff, Microsoft's apparent apathy with the end-user (used to be called 'the customer' in the old days) experience, and Microsoft's failure to meet their support claims (this was a paid support call where 'senior management' was supposedly notified).

And the saddest part of this tale is that since the problem was solved (by the customer) after having dealt with the crack MS support staff, I imagine it will appear as a successful resolution for that support center, further legitimizing their use. While in actuality, the customer is completely dissatisfied.

Nope. India is just a morass of corruption.

[frost22]

They can not even prosecute clear cut cases of murder, when there is ample proof.

Just a somwhat current example: the murder of Jessica Lal.

The victim, an attractive model, worked at the bar at a friend's party in a fancy restaurant. A son of a powerful politician comes in with his entourage and asks for a drink. She refuses to give him one, because the bar is already closed. The man - offended beeing refused in front of his friends - pulls a gun and shoots her direct in the face.

Numerous witnesses. Ample evidence. OJ Simpson was a mystery compared to that. And yet, after seven years of judical wrangling, the man walks away free (not that he ever spent a day in jail). Witnesses who can not remember anything, a police that just happens to destroy or devalue all evidence - the case stinks of corruption.

Its been a major scandal in India half a year ago. But only because the victim was well known and had many influential friends of her own. Had she been a simple rural woman, we wouldn't even know. Local observers note that affairs like that are standard practice - if you are rich enough in India, there is no law that applies to you, because everybody is corrupt and can be bought.

Don't believe me ? Just google for Jessica Lal, and read the whole sordid story.

Re:Cheap shot journalism

[MrMickS]

The programme did speak to someone working in a call centre in the UK. That person pretty much said that the security was so lax that any of the breaches levelled at India could also take place within UK call centres. So the programme wasn't making cheap shots.

The difference between India and the UK was the manner in which this data was marketed. Outside Hyderabad, which had G.Bush visiting and high security at the time of the investigation, the personal information was being dealt as any other commoditiy. That is, openly traded. The makers of the programme weren't able to gain access to data as readily within the UK. The speculation, as it was untested, as to why this was the case was down to jurisdictional issues.

A large number of UK companies have taken advantage of the services supplied by Indian call centres. The security of data is a genuine concern. The numbers being talked about were in the 50,000 - 100,000 new leads per month. This is fraud on a large scale even if its only being carried out by a relatively small number of people. Some of the sample data, which when challenged was said to be made up, was used to track one person down that was prepared to appear on camera and confirm it as true. Interestingly this data was obtained because the person had a credit check done in a UK shop which happened to go through to an Indian call centre.

Incidentally the programme did say that the information was garnered not from banking call centres but mostly from ones used by mobile phone companies. The implication being that the banking call centres had a higher level of security.