Special Report: Is customer data safe in Indian call centres?
The security of customer data in Indian call centres has been brought into question again following a sting by The Sun newspaper which found that staff were willing to sell bank account details of UK customers.
Three of the UK's leading banks - HSBC, Barclays and Lloyds TSB - have launched an investigation after the tabloid newspaper claimed that a former call centre worker had offered to sell British account details to an undercover reporter.
Working undercover, the Sun reporter was allegedly able to buy account details of 1000 Britons from a former call centre worker for US$5000. The former employee is also said to have offered to sell details of mortgages and medical bills. The alleged breach highlights risks to data as internet commerce and computer processing increase the amount of customer information exchanged between companies and countries.
Barclays, one of the banks whose data was said to be leaked, said the information did not come from its own operation but probably from a third party that requires customers to provide bank details in sales transactions.
But Infinity eSearch, the firm at the centre of the allegation, said it had no such data and no British clients. "We're a Web marketing company that optimises Web sites on search engines," insisted managing director Rahul Dutt. "We do not have any classified information on any banks."
But share prices in leading Indian offshoring companies fell as the market reflected concern that the row would deter business coming into the country. The authorities in India were keen to play down the incursion. "There are many credit-card scams in the US," an official said. "It isn't as if the Western world is devoid of all that."
India's National Association of Software and Service Companies (Nasscom) said call centre companies "will work with the legal authorities in the UK and India to ensure that those responsible for any criminal breaches are promptly prosecuted and face the maximum penalty".
It’s the second major scandal to rock the Indian call centre industry this year. In April, news broke of a $400,000 online credit card fraud involving workers at MphasiS, who police said enticed Citibank customers to part with details.
The West Bengal government this week called for a toughening up of the law to clamp down on rogue call centres. "There is a need for stringent laws within the IT Act for taking action against errant call centres," said Principal Secretary of the West Bengal IT department G. D. Gautama.
Analysts were unclear about the long term impact of this breach on the Indian offshore industry. "This is an emotive subject, linked to the export of jobs in European centres to Asia, and largely to India," said Graham Tulkingham of Ovum. "There is no evidence to suggest that Indian workers are any less honest than their European counterparts, nor that these crimes are limited to outsourced services. India has long been aware of the sensitivity of exporting personal information and has modelled its data protection legislation on the European model in order to strengthen its position in bidding for outsourcing work. Likewise, the Indian police are as capable of prosecuting criminals as their counterparts in Europe.
"Nevertheless the scale of this alleged operation is significant, and it seems likely that the culprit in this case is only one of many such villains in the field. The regime in India may be as good as elsewhere, but there is a big problem in ensuring security in any outsourcing contract, and these difficulties are exacerbated by the remoteness of inter-continental arrangements. Security is about ensuring that things don't happen. It is hard to prove a negative. If a contract says that the provider will do something, the customer can check that it was done. If the contract says that the provider won't lose data it is hard to prove it hasn't done so.
"Technology can help in some areas, such as logging and reporting operations, but no IT security product can record what an operator does with information after it has been displayed on his screen. There are major issues relating to all outsourcing contracts that need attention here, not just to offshore ones."
Unions opposed to offshoring have inevitably seized on the breach to support their case. Steve Tatlow, assistant general secretary at Lloyds TSB Group Union, said: "It is alarming that the personal sensitive data of customers can be fraudulently obtained in India. It puts customers at real risk of the activities of criminal gangs.
"Data Protection legislation in the UK needs tightening up. The EU recognises that India does not meet the same rigorous standards of data security as European countries, so why cannot customers insist on not having their personal information transferred to India."
Dave Fleming, senior finance officer for union Amicus, said: "Amicus has warned that the offshoring of financial services has huge data protection and customer confidentiality implications. Companies that have offshore jobs need to reflect on their decision and the assumption that cost savings benefiting them and their shareholders outweigh consumer confidentiality and confidence."
But the Financial Services Authority says security at Indian centres is very good and in some cases more controlled than in this country. It recently published a report on the centres based on visits to 10 call centres and data from five others.
It said staff at the centres were not allowed to take mobile phones or cameras to their workstations, and if bags were permitted they were searched. The computers used did not have hard drives, floppy disc access or access to the internet, email or printers. Staff are often given numbered sheets of paper on which to take notes which had to be handed in at the end of a shift.
"There is no evidence to suggest customer data is at greater risk in India than in the UK," the report states. "We observed a high level of security in operation and some firms stated that security is far more controlled in the UK. For suppliers, controls over people, processes and access swipes are client specific; for firms it is in line with their own policies. Some have used their own or external security experts and internal auditors to define and review arrangements."
HSBC says the security measures employed in its overseas centres are exactly the same as those in the UK. It said customer information is not stored on site in its overseas centres, and operators in India can only access data remotely and for the purposes of a specific customer enquiry.
Call centre operators can only view information for the purpose of their job, random spot checks are made on the data operators had access to, and its computers are specially protected to prevent data downloads. The bank also says no member of staff ever has access to a customer’s full Pin and account access security numbers.
But despite these measures research carried out for Alliance & Leicester found that 51 per cent of consumers were concerned about the security of their personal information in offshore call centre and that 87 per cent of people in the UK would prefer not to have their financial services handled by overseas call centres. Over half were concerned about the security of their personal information, while 47 per cent thought it led to a poorer service.
A statement from Alliance and Leicester this week re-affirmed its opposition to offshoring. It said: "Alliance & Leicester remains committed to UK-based call centres as we believe these best serve our customers’ needs and are what our customers want. Customers feel much more comfortable dealing with UK call centres for a variety of reasons. These issues are critical — and far outweigh what may in the end prove to be short-term cost savings.For this reason Alliance & Leicester remains committed exclusively to UK-based call centres and has no intention of outsourcing any call centre activity overseas."
Whether last week’s revelations deter other firms from making their own passage to India remains to be seen...