Private Data Sold From Indian Call Center

Matt Freman writes to mention a ZDNet article on reports that private data is being sold out of an Indian call center. A U.K. television programme, 'Dispatches', follows a 12-month investigative report on illegal privacy-related activities. During the taping of the show thousands of U.K. bank customers had their personal information sold by the staff of a call center. From the article: "Indian IT trade organization Nasscom criticized Channel 4 for refusing to show it any of the footage before it was broadcast on Thursday evening. It urged the program makers to cooperate in rooting out and prosecuting any 'corrupt' call center workers. 'The whole issue of data security is a global problem,' said Sunil Mehta, a vice president at Nasscom. 'There are bad apples in every industry around the world, and these incidents happen in India and the U.K. This is not a widespread problem in India. Security measures and practices that Indian companies have are the best in the world.'"

How are cases prosecuted?

[weave]

If a worker who works in same country as the company is caught in fraud, they are prosecuted and thrown in jail. If a megacorp outsources off-shore and the employees of that company are involved in fraud, exactly what assurances does that company or its customers have that the perps are prosecuted?

Also, I always wondered why companies that outsource are assured their trade secrets are not sold too.

Its the Economics, STUPID

[Anarke_Incarnate]

When you pay someone a wage, that relative to those of the people they deal with, they will become angry and resentful. The point of moving offshore is to save costs because the cost of living is so low, making the wages low.

Thus, the people who know they are making a great deal less than people in the UK or US feel that they are doing this to equalize themselves. It is a psychological phenomenon. People don't just want to do well, they want to do better than others.

Blame it on India!

[RexRhino]

Of course, there isn't any reason to believe that private data couldn't be illegally sold in the UK... or in the U.S., or France, or Canada, or Germany, or Japan, or whereever. In fact, data theft has most certainly happened in all those countries!

But you are going to have a salvo of posts demonizing India as a place to do buisness. People with either a xenophobic agenda, or a protectionist agenda will jump on this with the whole "India is evil! Don't outsource to India" paranoia and hysteria, when in fact there is no reason to believe your data is more secure anywhere else.

Courts and Law

[blueZhift]

While I'm no fan of offshoring, in all fairness, it is true that data theft as described is not a problem unique to India. The real question is, how are these things handled by the courts and laws of the countries in which they occur? If there is some assurance that perpetrators will be brought to justice and things put to rights, as much as possible, then it may not be as big a deal. However, if the courts or laws are weak/corrupt and the penalties associated with data theft are laughable compared to the benefits, then you have a big problem. Many companies have been attracted to India and other countries by relatively cheap labor, but they really need to look at the rule and culture of law in any country they plan to do business in as well. This of course assumes that they are truly interested in benefitting the customer and haven't just added in data theft as a cost of doing business.

What can anyone say anywhere?

[krell]

"Not every Indian is necessarily corrupt. However, even an handful can ruin the reputation of the entire bunch. The Indian Govt. has to crack down really hard on the people caught selling the data."

Substitute "American" for "Indian" in that sentence. Then start going down the line with other countries. P.S. I am an American too.

can the fired bad guys sue easily?

[krell]

"I work at an outsourced customer support company. The policies where I work is if your caught abusing the information you get, you get fired. Simple as that"

Is it easier to fire the bad guys there because you are less likely to have a crooked lawyer come up out of the ooze and file a frivolous "wrongful termination" lawsuit? I know that is a problem in the US.

Re:Hmm...

[weave]

Amen. We just recently had an esoteric problem with Windows and roaming profiles where in about 1% of the logons, the user's perms to their user hive in the registry would be removed, preventing any GPOs from applying. After two weeks of debugging and not being able to faithfully reproduce it, we called microsoft and paid for an advanced support call to troubleshoot mission critical issues. This is one where "senior management" is allegedly notified of your issue.

We never got out of India, as evidenced by the emails that went back and forth and their origin (you can't always judge by accent because there are Indian citizens working domestically). However, as you stated, the ability to understand what they were saying was enough to drag each call out to twice as long as it should have been.

Then there's the quality of the "support." We were treated as if we were Grandma with a PC problem. We provided clear userenv logs and asked specific questions like "What causes migratent4tont5 process to invoked? What exactly is it checking for since we have no nt4 machines left?" No answers to our specific questions. Instead we got "advice" like.

• It's probably a virus problem.
• Please remove all non-microsoft services from all of your machines. "What? Including our Anti-virus software?" The answer was, yes.
• It's a driver issue with nvidia video cards (we don't have any machines with nvidia cards)

After a while the case person stopped returning our calls and their email started bouncing. Emailing the manager on record for this also bounced. Seemed like their email server was having problems.

They never followed-up on the call. After another week we found out what the problem was. If the ProfileList HKLM key didn't match what local cached profiles of roaming profiles exist on any given machine, it *sometimes* triggered this process that ended up changing the ACLs on the user hive preventing GPOs from being set. Solution was a machine startup script to check that list and remove any entries that conflicted.

They never even hinted to us where to look. We just found it through a heck of a lot of trial, errors, and observations. As far as I know, over a month later, the case is still open with them. They have never bothered to follow up. Then again, they probably closed the call with some lame excuse like "Customer refused to cooperate" (yes, we refused to remove anti-virus from all 2000 of our desktops. It was a stupid suggestion and had nothing to do with the problem at all)

Re:can the fired bad guys sue easily?

[weave]

Fired? That's it? I'm curious of the economics of the crime then. Is it possible that one can earn enough coin by selling information where they never have to work again, and hence firing is worth it?

Call center employees shouldn't be able to do this

[Fastolfe]

If the company designed its security and auditing correctly, call center employees should never have the ability to do this in the first place. Why are they trusting call center employees with wholesale access to customers' private data? Competent companies will require the employees to provide an explanation every time they access a record, and these will be tied to their phone records to make sure they are only accessing information relevant to their current task. A good audit trail, flagging unusual access behavior, combined with limiting access only to individual records at a time would have stopped these breaches.

Yes, some of these outsourced call centers are inexpensive because they don't do things like this. But you get what you pay for, right?

Re:Blame it on India!

[Danga]

People with either a xenophobic agenda, or a protectionist agenda will jump on this with the whole "India is evil! Don't outsource to India" paranoia and hysteria, when in fact there is no reason to believe your data is more secure anywhere else.

There is a reason to believe my data would be more secure somewhere else and for me that would be here in the US. The reason it would be safer is because if someone were to sell my information working at a company here in the US then they would be held accountable to the laws we have against that and they would pay the price because I certainly would go after them myself if necessary. If the person who sells my data happens to be in another country then I would not have the choice to go after them myself and even though they most likely would lose their job their home country may not have any laws against what they did with my information so they could basically get away with it. So while there truly are "bad apples" everywhere there would be MUCH more deterent to sell someones personal information in a country that has laws against it than in a country where those laws do not exist.

I think if I was making $2/hr (I made that up, I don't know what the real number is but I am sure it is low compared to the US) while I knew I was being exploited for cheap labor and was offered a large sum of money in exchange for personal data knowing I would lose my job but not be in trouble legally that I would probably take the money and go hunting for a new job.

Basically I hope that some laws are passed in the US (and other countries) that already have laws guarding personal information to make sure if companies outsource access to that information that they are only allowed to outsource it to a country that has at least the same laws in regard to personal information. The best choice would to not outsource that information at all (so if the company in another country did not persue the employee legally I could do it myself) but at least this way if someone did do something with my personal information I would have some hope that they would be punished more than just losing their job.

Re:Hmm...

[gorfie]

Don't be too quick to downgrade the parent. His message may seem trollish but his point is valid. They claim that their security measures are the best in the world but they also make other claims that are done purely to make their industry look more appealing to potential customers - not necessarily with any basis in reality(whether that is sales abilities, communciation skills, work ethic etc.). So if one claim is pure marketing then who is to say that the claim regarding security is anything other than an attempt to ease the fears of potential customers?

This is why I don't outsource

[Serveert]

I don't believe in cuttting corners, I don't think that's a long term strategy. For example, I don't hire people I don't trust. I hear people talking about outsourcing and they mention giving them a part of the non-critical portion of the code. Why bring these people on board who you don't trust? Short term profit? What about long term profit when these people you don't trust steal the rest of your code and compete against you?

Or, since you're just looking at them on a cost basis, paying them as little as possible, they aren't motivated. So their productivity is lower. I believe you should hire people and give them ownership and high pay. That's a long term strategy. All these companies outsourcing right now are going to get a rude awakening down the line.

Re:Hmm...

[Xest]

Exactly, whilst I agree my post probably came across as a little too trollish, my point was that comments like that are as ignorant and short-sighted pro-India marketing propaganda as the original article is anti-India marketing propaganda. When many outsourcing companies have been making claims like that (although of course in this case it was a response) is it suprising that western organisations hit back with an equivalent amount of propaganda? In an ideal world they'd all just grow up and avoid spreading any propaganda in the first place ;)

Just The Tip of The Iceberg

[aldheorte]

This is just the tip of the iceberg. Consider what happens to code development shipped offshore. It amuses me that businesses with strict non-open source code policies offshore code development because it's pretty much a de facto, if unofficial, grant of open source. It's even worse when people use offshore resources for "secret" prototype development and the such in an attempt to save money on project startup. I cannot think of a worse venue to put confidential new development into.

This problem is a compound problem. First you have low wage workers that are more likely to succumb to temptation of selling such secrets. Second, you have jurisdictional problems - technically you could make a legal claim through treaties and the like, but the hassles and delays would take years and years to resolve and probably give no real satisfaction (this is why I say de facto in the above, even if you disallow something, if there is no real useful legal remedial process behind it, whatever agreed is basically unenforcable). Third, there are cultural problems where intellectual property and consumer privacy are fairly artificial constructs of the legal systems of developed countries.

The bottom line is that this is only going to get worse and I imagine that Western companies will soon face legal liability for outsourcing in two ways:

1. To shareholders for assigning development to offshore resources that results in compromise of trade secrets or the like.
2. To consumers for breaches of privacy and resulting identify theft and the like.

The companies will argue that they entered into contractual agreements with third parties so it wasn't their fault, but I suspect that many of these cases could and will be successfully pressed on the basis of a lack of due diligence, especially against the backdrop of known incidents such as this.

Cheap shot journalism

[nuggz]

These type of "fear the indian call center" play really well because they hit such a high number of issues.

ID theft- scary, currently a nice hot issue.

Privacy - little recourse for violations,

Offshoring - They're stealing jobs!!
Jobs people don't want. FWIW there are some larger call centers in various parts of North America that are growing.

Indian accents - some people have trouble with them.

Racism - Some people just don't like them even if we solve all the other issues.

This is just cheap shot journalism at an easy target that gets people upset. This same type of privacy violation can and does happen in every part of the first world.

Wrong. In the real world...

[Anonymous Coward]

it's the SE who says it will take 150 hours and then extends it to 450 hours for various reasons who gets the contract.

Re:Hmm...

[Lactoso]

GP is blaming Microsoft. Specifically, Microsoft's decision to outsource support to a foreign nation, Microsoft's lack of training of this outsourced support staff, Microsoft's apparent apathy with the end-user (used to be called 'the customer' in the old days) experience, and Microsoft's failure to meet their support claims (this was a paid support call where 'senior management' was supposedly notified).

And the saddest part of this tale is that since the problem was solved (by the customer) after having dealt with the crack MS support staff, I imagine it will appear as a successful resolution for that support center, further legitimizing their use. While in actuality, the customer is completely dissatisfied.

Not suprised

[CaptScarlet22]

Money talks in any language....

Re:How are cases prosecuted?

[Anonymous Coward]

American slashdotters don't want the truth. They want more reasons to bash the UK. Whether they are true or not. Makes them feel better about the piss poor state of their glorious republic.

Re:Cheap shot journalism

[jnf]

I didn't RTFA, but it should hit a very important point. When I worked in the banking industry we had four or five bases of operation in India, we then had a problem that no one really wanted to talk about- we couldn't do background checks on the employee's in India, so we were not even in compliance with our own policies. This was a huge issue because these people had access that ranged from nothing to administrative access over all of the workstations and some of servers.

Think about that for a moment and then tell me it's still racism.

Re:Cheap shot journalism

[geekoid]

Offshoring - They're stealing jobs!!
Jobs people don't want. FWIW there are some larger call centers in various parts of North America that are growing.

Jobs people don't want? what you mean like programming? or the thousands of people that have been fired so there call center/support job can go to india?

To say migrant works do jobs most people don't want is true(ever pick strawberries for a day?); many people want office jobs.

Nope. India is just a morass of corruption.

[frost22]

They can not even prosecute clear cut cases of murder, when there is ample proof.

Just a somwhat current example: the murder of Jessica Lal.

The victim, an attractive model, worked at the bar at a friend's party in a fancy restaurant. A son of a powerful politician comes in with his entourage and asks for a drink. She refuses to give him one, because the bar is already closed. The man - offended beeing refused in front of his friends - pulls a gun and shoots her direct in the face.

Numerous witnesses. Ample evidence. OJ Simpson was a mystery compared to that. And yet, after seven years of judical wrangling, the man walks away free (not that he ever spent a day in jail). Witnesses who can not remember anything, a police that just happens to destroy or devalue all evidence - the case stinks of corruption.

Its been a major scandal in India half a year ago. But only because the victim was well known and had many influential friends of her own. Had she been a simple rural woman, we wouldn't even know. Local observers note that affairs like that are standard practice - if you are rich enough in India, there is no law that applies to you, because everybody is corrupt and can be bought.

Don't believe me ? Just google for Jessica Lal, and read the whole sordid story.

Re:Hmm...

[weave]

There ARE lots of qualified NT admins in India, who have the professionalism and knowledge to really research this kind of problem.

I have no doubt about that. But this particular problem I described was very esoteric. Basically, if you get an userenv dump and google for some of the words found in it, you get tens of thousands of matches from other dumps people have posted over time.

The problem was, some of these in the section at issue we googled and got ZERO hits on, meaning no one has seen it before probably. No hits on microsoft's public website.

Which means it probably isn't in the call support staff's DB either. And I bet a huge amount of cash that these call centers have requirements to limit the number of calls they escalate to engineers in Redmond, so they are very reluctant to do so.

In the end, no support for truly difficult problems. The sad thing is, since this string was very unique, if this was open source OS we could have at least searched the source tree for the string and determined what logic happens to trigger that to be outputted in a log file. :-(

How do you know it doesn't happen more often?

[Svartalf]

All you see is the more careless ones getting caught. Identity theft actvities goes on, even in the US- we just
have a better handle on it so that the sloppy ones don't get very far. In India and elsewhere, you pay for cheap,
they don't give a care about security- what costs is the pay for the labor to be less inclined to do corrupt things
and for the security to ensure that if they do, they typically get caught real quick.

All because of some idiot that has an MBA that thinks he has a solid handle on economics and business thinks that
it'll be cheaper to do this "offshoring" thing- because everyone else is doing it and you can't afford to not do it.

Well, I'm here to tell you that if you can't afford to pay people here in the States (or UK, or Australia, or...)
you probably really can't afford offshoring it unless you get lucky. Offshoring is a damn crapshoot- and you might
get lucky, the odds with you for a while. But, at some point, it comes back to roost and all that money you "saved"
just got flushed down the toilet in liability suits, lost reputation, and reperations to the poor sots that got
screwed by the identity thefts, etc. that comes from it.

Sure, there's sharp people over in India and Russia. Do you think for one moment that you're GETTING those people
when you offshore? If you do, you're fooling yourself. The really competent ones cost as much as they do here over
there. What are you getting when you do the offshore thing? The middle of the crowd at best and the bottom of the
barrel leavings- because they're cheaper.

Re:How do you know it doesn't happen more often?

[TubeSteak]

The really competent ones cost as much as they do here over there.

Cost of living "over there" is drastically lower than it is in the U.S. or the EU.

30,000 USD is a lot of money in India or the former Soviet States.

I know there are at least a few American /.'ers, who make a low end American IT salary, but do quite quite well living in India.

Maybe one of them will chime in