Private Data Sold From Indian Call Center

Matt Freman writes to mention a ZDNet article on reports that private data is being sold out of an Indian call center. A U.K. television programme, 'Dispatches', follows a 12-month investigative report on illegal privacy-related activities. During the taping of the show thousands of U.K. bank customers had their personal information sold by the staff of a call center. From the article: "Indian IT trade organization Nasscom criticized Channel 4 for refusing to show it any of the footage before it was broadcast on Thursday evening. It urged the program makers to cooperate in rooting out and prosecuting any 'corrupt' call center workers. 'The whole issue of data security is a global problem,' said Sunil Mehta, a vice president at Nasscom. 'There are bad apples in every industry around the world, and these incidents happen in India and the U.K. This is not a widespread problem in India. Security measures and practices that Indian companies have are the best in the world.'"

Re:How are cases prosecuted?

[Anonymous Coward]

I work at an outsourced customer support company. The policies where I work is if your caught abusing the information you get, you get fired. Simple as that. As for prosecution, if the offense was great enough, the company does prosecute I believe - I've never actually seen something this serious where I work, so I'm not 100% sure about how they deal with prosecution.

Re:How are cases prosecuted?

[pete6677]

Most shady people who would sell others' information would not care about being fired from some $7.50/hr call center job. Prosecution is not a big threat either, as rare as it is for people to be aggressively prosecuted for data theft. This is true no matter what country the call center operates in. It's just what will inevitably happen when you farm out important corporate operations to the lowest bidder. Of course they will take shortcuts and of course there will be shady people willing to exploit the situation. The only thing surprising about this article is that people didn't realize the potential for these problems a lot sooner. And the only thing that surprises me about fraud is that it isn't more common, as easy as it is to do. All it takes to succeed is a little common sense is a complete lack of morals.

Re:can the fired bad guys sue easily?

[Name Anonymous]

Is it possible that one can earn enough coin by selling information where they never have to work again, and hence firing is worth it?

In a word: Yes!

In more detail, a credit card number with enough information to use it (name, address, phone number, etc) is worth about $100. So if you work at a place that has lots of customers (Amazon or Paypal for examples) you could very well make enough money with all that data.

Re:can the fired bad guys sue easily?

[khallow]

Is it easier to fire the bad guys there because you are less likely to have a crooked lawyer come up out of the ooze and file a frivolous "wrongful termination" lawsuit? I know that is a problem in the US.

This isn't any more of a problem in the US. It's very easy to fire someone who has committed a crime. The fired employee would have to weigh any potential compensation against jail time (or perhaps more jail time).

Re:How are cases prosecuted?

[xoyoyo]

That is ever so slightly overstating the case:

The woman in question was not beaten and robbed. A youth stood in her way in a public park and demanded that she hit him. She did. So he hit her back. It is against the law in this country to assault people even if they ask you to, so she was arrested. She is not going to be prosecuted as the CPS has decided quite rightly that the public interest would not be served by prosecuting her. No doubt the entire incident could have been handled more sensitively but it isn't quite the world gone mad picture you seem to have formed.

Details here: http://news.bbc.co.uk/1/hi/wales/mid/5368900.stm [bbc.co.uk]

Some hackers tried this in the 70s

[mcmonkey]

This is just the tip of the iceberg. Consider what happens to code development shipped offshore.

It would be easy for someone to slip in a virus to round off the fractions of a cent in the interest computations and put the remainders in an account.

You just need someone who knows the credit union software to install it.

nonsense

[Anonymous Coward]

if you had watched the program you would of seen them talk to UK callcenter employees who could supply the same data, the only reason they went to India was because of the numbers, UK employees wanted 10-50 times what the Indians wanted for each piece of data and they (indians) could supply them in much larger quantities (100,000 fresh details per month) so as responsible jounalist do they followed the big fish not the little minnows

news video on the scandal

[Anonymous Coward]

http://www.channel4.com/player/v2/player.jsp?showI d=2053 [channel4.com]

Re:Cheap shot journalism

[MrMickS]

The programme did speak to someone working in a call centre in the UK. That person pretty much said that the security was so lax that any of the breaches levelled at India could also take place within UK call centres. So the programme wasn't making cheap shots.

The difference between India and the UK was the manner in which this data was marketed. Outside Hyderabad, which had G.Bush visiting and high security at the time of the investigation, the personal information was being dealt as any other commoditiy. That is, openly traded. The makers of the programme weren't able to gain access to data as readily within the UK. The speculation, as it was untested, as to why this was the case was down to jurisdictional issues.

A large number of UK companies have taken advantage of the services supplied by Indian call centres. The security of data is a genuine concern. The numbers being talked about were in the 50,000 - 100,000 new leads per month. This is fraud on a large scale even if its only being carried out by a relatively small number of people. Some of the sample data, which when challenged was said to be made up, was used to track one person down that was prepared to appear on camera and confirm it as true. Interestingly this data was obtained because the person had a credit check done in a UK shop which happened to go through to an Indian call centre.

Incidentally the programme did say that the information was garnered not from banking call centres but mostly from ones used by mobile phone companies. The implication being that the banking call centres had a higher level of security.

Legal recourse

[dodobh]

The law is being made a lot more stringent, and every person whose personal data has been compromised can get compensation upto 5 crore INR (50 million INR) as civil damages, as well as criminal action leading to fines and/or imprisonment. Under Indian law, any affected individual can bring a criminal lawsuit, without having to wait for the government to intervene.

http://tech.groups.yahoo.com/group/cyberlaw-india/ message/2848 [yahoo.com]

Meanwhile.. here in UK

[Anonymous Coward]

http://www.theregister.co.uk/2006/07/26/offshoring _misperception/ [theregister.co.uk]

http://www.theregister.co.uk/2006/10/05/india_expo sed/ [theregister.co.uk]

"In June, an Indian worker was arrested for allegedly defrauding £233,000 from the accounts of about 20 HSBC customers. However, the Royal Bank of Scotland lost nearly 100 times that amount of money (£21m) to a man working for the bank in Edinburgh."

Incidents of reported fraud in the UK have tripled in since 2003, according to BDO Stoy Hayward. The British government is conducting a review of unreported fraud the UK, which is it describes as "chronic".

But that never makes it to the prime time TV or headlines!! ?

Guess we would rather get fleeced by our white bretheren?

Re:Blame it on India!

[dotdash]

I think if I was making $2/hr (I made that up, I don't know what the real number is but I am sure it is low compared to the US) while I knew I was being exploited for cheap labor and was offered a large sum of money in exchange for personal data knowing I would lose my job but not be in trouble legally that I would probably take the money and go hunting for a new job.

A call center employee in India does make about $2.3 dollars per hour. However, I am really tired of people quoting these low Dollar figures for pay, while forgetting to mention that the "low pay" tends to be rather high for the local economy.

Let me give you some estimate of costs and expenses in US Dollars. These numbers are for cities like Bangalore and lie closer to the upper limit. I have considered the kind of restaurants and other establishments a young and hip call-center employee is likely to haunt. In the interest of full disclosure: I am Indian, and am quite familiar with the goings on in India in the IT and BPO fields.

Here is the summary before I give you the details: A call-center employee has the potential to save about 35% of his monthly pay. I wish I could do so in the US. Even by Indian standards, 35% is very good savings potential. For comparison, my sister and brother-in-law live in Bangalore, do not work in IT or BPO, and together earn less than the average call-center employee does. Mind you they both have daily expenses. They also have other expenses (schooling and feeding children mostly) an average call-center employee tends not to: The average call-center employee is single, in early 20s, and quite often not contributing much financially to his family.

With numbers like these, I can argue that call-center employees in India have a lot less incentive to sell out. That is, people in the US might look for "supplemental income" more than an Indian call-center employee does. Now, I don't believe that is so, just like I don't believe the argument that the lower Dollar-wage makes Indians (or other nationals) sell out data.

Here is the deal: For every 100 guys selling data, there is one guy buying it. The buyer shops in India because doing so is less expensive for him. So, how about we also look at where the buyers are coming from and what they do with it?

Average Monthly Numbers

• Pay: $444.44
• Expenses: -$276.75 (Everyday expenses (-$150.9), and rent and other montly expenses (-$125.85)
• Savings: $167.69 (37.7% of income)

Everyday expenses (Note: Call centers in India give their employees free refreshments and free/subidised transportation)

• A cup of coffee at a really fancy coffee house: $0.33 (yes, 33 cents)
• A cup of ice cream at a really fancy parlour: $0.65 (must buy ice cream for the girl that tags along)
• A pack of cigarettes: $1.5 (cigarette smoking seems to be on the rise)
• A full meal at a really fancy restaurant: $2.22
• A day pass on a city bus: $0.56 (though the average call-center employees are unlikely to take a bus: they ride bikes)
• A can of beer: $2.00 (most people don't drink beer everyday, but I list it here in case you are wondering)

Monthly expenses

• Rent: $44.00 (A native is likely to live with parents, and pays well below this number)
• Hair cut: $0.55
• Movie tickets, for four shows: $3.00 (movies are the most popular form of entertainment)
• Concessions at the movies for four shows: $4.50
• Apparel for self: $10.00
• Apparel for the person you are wooing: $10.00
• 10 gallons of gas: $48.8 (yes, gas is that expensive)
• Vehicle maintenance: $5.00

Big-ticket

• A new motorcycle: $1000.00

13 min Video here

[tycoman]

http://jiyocricket.blogspot.com/2006/10/channel-4- call-centre-id-theft-exposed.html [blogspot.com] crazy stuff. all ur data belongs to them

Re:How are cases prosecuted?

[xoyoyo]

And the CPS didn't. Read the rest of my comment and you'll see that the CPS dropped the prosecution as being not in the public interest, presumably for more or less the reasons you describe (although see below). The CPS does not arrest people: the police arrest them and the CPS decides whether to prosecute.

The police are discouraged from showing too much discretion: in this case a sensible copper would have simply pointed out the facts of the law and moved on to something else more important, but not all policemen are sensible, somew are worried that if they show too much discretion they will be reprimanded fot it.

Even if she had been prosecuted I believe assault can still be tried by jury in which case a jury of her peers would have injected some rationality to the process.

I don't know where you get this notion that laws are expected to be enforced on a "reasonable man theory". This is entirely true in some civil law (libel springs to mind, while patent law requires an expert in the field). Criminal law on the other hand is a system of absolutes, exactly as you claim it is not: if you do this, then you have broken the law.

Within those laws there are tests for reasonableness, but that's not the same thing as the reasonable man straw man you put up. I imagine you think (and correct me if I'm wrong) that you expect the reasonable man evaluation of a case like this to say "well they were obviously winding her up and the outcome was completely unbalanced so she shouldn't be arrested". Instead what the test for reasonableness in assault looks for is whether the contact was reasonable: this is the way that the assault law can distinguish between behaviour in the office and on the rugby field (to give extremes). It would obviously be unreasonable if I were to pull you to the floor so my colleagues could sit on you while we were discussing the quarterly sales figures; on a rugby field it would be perfectly reasonable. Punching somebody (outside a boxing ring) is always regarded as unreasonable.

If there is a worrying trend in British law it is not the tendency to blame the victim rather than the aggressor, which is a rightwing fantasy, but to remove the checks and balances required to inject exactly the kind of reasonableness you and the grandparent desire. Instead we have non-judicial ASBOs, a diminution of jury trial, the ending of the double jeopardy rule and the proposed lifting of the right to silence. And all of these things have been done in the name of cracking down on bad guys and speeding up conviction, not in the name of ensuring that terrified grandmothers (as in this case) are not harrassed by the law.