Indian call centre staff \'selling confidential personal data\'

Media reports have disclosed that decision centre staff have sold credit-card details and patient records to 3rd parties.

According to a report within the Times of India, Indian call centres are selling at the confidential personal data, including credit-card details and medical records, of greater than 500,000 Britons.

An undercover investigation by The Sunday Times found that the information is being sold by "corrupt Indian call centre workers" to cyber criminals and marketing firms. The report said that two Indians, claiming to be information technology workers at call centres, met undercover reporters and boasted of getting 45 different sets of private information.

The data included names, addresses and call numbers of credit-card holders, and the cards' start and expiry dates and 3-digit security verification codes. Other information being sold on on the topic of mortgages, loans, insurance and cellular phone contracts.

The Daily Mail claimed that the tips is being sold for as low as 2p, and among the consultants met the undercover reporters in a hotel room in a town near Delhi, carrying a laptop stuffed with data.

Bill Morrow, executive chairman of Quarri Technologies, said: “As businesses continue to outsource services which will reduce costs, business partners, including third-party service providers, want to make sure that customer information will not be copied, transferred or stolen.”

Marc Lee, EMEA sales director at Courion, said: “What's most alarming about this situation is how easy it kind of feels for call centre staff to misuse confidential information. While no organisation is totally safeguarded against insider threats, a whole lot may be done to attenuate the potential of data misuse by insiders and mitigate access risk.

“In this situation the promoting of sensitive data might have been prevented or detected at an early stage had the decision centres' IT staff had effective systems in place to manage and monitor user access to confidential information. Such access risk management systems ought to be capable of control who's accessing customer data, the way it is getting used , where and when.

“Another effective measure to stop insider threats can be to implement specific restrictions for copying confidential data onto USBs or other external devices, or disabling access to such information from specific locations or at certain times.”