Corrupt call center workers selling your private information for pennies

Filed Under: Data loss, Featured, Privacy

Thief with secrets image courtesy of ShutterstockAccording to the Daily Mail an undercover investigation in India has uncovered that some call center workers have been selling confidential information on nearly 500,000 Britons.

Undercover reporters from The Sunday Times met with two individuals who claimed to be IT workers who offered to provide them with 45 different types of data gathered from the victims.

Information offered up included names, addresses, phone numbers and credit card details (including CCV/CVV codes and expiration dates).

The reporters allege they could purchase the records for as little as 2 pence apiece ($0.03 USD). One of the IT workersthieves bragged:

"These [pieces of data] are ones that have been sold to somebody already. This is Barclays, this is Halifax, this is Lloyds TSB. We’ve been dealing so long we can tell the bank by just the card number."

They claimed to have information on mortgages, loans, insurance policies, mobile phone contracts and television subscriptions. Much of the information was "fresh", or less than 72 hours old.

Indian authorities claim it is difficult for them to police the situation as many of the companies contracting for services at Indian call centers are unwilling to go public or admit that their customers data has been compromised.

Aside from investigating the individuals committing these crimes, there are technological solutions that could minimize these types of mass thefts.

While corrupt workers could still scratch down details on paper, it would prevent the mass exfiltration of data. I imagine the US Department of Defense started considering this more seriously after the stolen cables showed up on WikiLeaks.

USB drive being inserted into a laptop image courtesy of ShutterstockWhat can be done? Device control is a good start. Don't allow unauthorized USB storage devices to be mounted, DVDs to be burned or bridging of WiFi devices onto sensitive networks.

Data leakage prevention (DLP) is another great way to be sure no one is attempting to email the corporate jewels to their Gmail account.

Of course if your company is considering outsourcing potentially sensitive responsibilities to an outside firm, be sure they are using these techniques and monitoring employee access to data.

The same list of requirements should be used as if you were planning to move sensitive data to the cloud. In essence "the cloud" is just another name for outsourcing in most cases.

The money you may think you are saving will quickly vanish if you are responsible for the fallout of your partners losing (or selling) your customers personally identifiable information (PII).

Thief stealing secrets image and USB drive being inserted into a laptop image courtesy of Shutterstock.

, , , , ,

You might like

14 Responses to Corrupt call center workers selling your private information for pennies

  1. Greg W · 942 days ago

    When will companies learn it does NOT PAY in the long run by outsourcing and taking jobs away from their fellow country citizens. It is a terrible business practice that needs to be stopped once and for all!!!

    • daverogk · 940 days ago

      We are experiencing the same thing here in Ireland with companies outsourcing to India and Egypt

  2. Elwyn · 941 days ago

    BT along with the banks mentioned have been aware of this for some time! Their staff are 'NOT ALLOWED' to mention it to anyone!

  3. bluerobin · 941 days ago

    Yes that's why i get bombarded with calls from Asian people constantly and im supposed to be ex directory !

  4. Robert Wurzburg · 941 days ago

    We are going to hear more and more of these incidents. Outsourcing of customer
    service and technical support where PII is able to be accessed should be made
    unlawful, with severe penalties.
    Maybe then some jobs will come back to the U.S. where they rightfully belong! If
    you are the victim of identity theft and it can be traced back to this type of source,
    file a class-action lawsuit against the company, and criminal charges. Maybe if it
    costs them enough money and bad media attention, plus have to ADMIT GUILT as
    a part of any settlement, they will finally change their business practices to safer
    ones and we will be more protected than at present.

    • Mrs. W · 941 days ago

      You realize that this is the blog of an international company, right? And that many, if not most, of the people who write for Naked Security are not in the US?

      They are, however, in countries on fairly equal footing with the US in terms of wages, lifestyles, and working conditions.

      The US isn't outsourcing to these countries. It's outsourcing to places where labor is cheap. Are employees of these call centers making enough to put decent food on the table and a roof over their families' heads? Or do they have to find ways to supplement their income just to survive?

      It's a lot easier to be honest when your basic needs have been met. It's also a lot easier when you're not constantly confronted with the disparity between your income and lifestyle and that of the people you have to serve on a daily basis.

      But that's enough about the sociology and politics of outsourcing and criminal behavior, as it's rather off-topic. The question is how best to deal with the situation once you've been placed in it.

  5. Neil · 941 days ago

    One of the reasons why I don't do business with any company which has an Indian operation.

    • pragmatist · 938 days ago

      I guess you do not have any credit cards. EVERY major credit card company has operations in India and several other low cost countries.

  6. And so the corporate drive of the nineties and early two thousands to outsource services to India has raised its ugly head showing its true colours. Its cheaper to have your call centres in India and your tech support centres but the downside the corporations either overlooked or just didn't care about was the serious lack of data protection in said country. Its simply idiotic that given the amount of private data thats stored in these centres is unpoliced - totally. The lame excuses they give are just that - excuses as the companies in question don't give a rats arse.

  7. Terry Downing · 940 days ago

    My credit card security was compromised with a well known online travel company. At first I was treated like a criminal and then the FBI (yes real FBI) got involved. I got my credit card money back eventually but no appology or compensation.
    The CCV is the worst security solution in use today and should be replaced by a GrIDsure method.

  8. Joshua Fellows · 938 days ago

    The thing that worries me with outsourcing call centres is the fact that, what's stopping these people from leaking and stealing customer information if these people are working in places in the middle east why should they care about customers information from the western world?

    • Mrs. W · 937 days ago

      A) Since when is India in the Middle East?
      B) What do borders inherently have to do with whether you're willing to cheat another human being? Would you be willing to steal some Indian guy's credentials because, well, what do you care about some guy in the Eastern world?

  9. Jmatt · 845 days ago

    Everything mentioned in this article is happening in the United States as well. These people are not outsourced. They work directly for the company and is taking your information and selling it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.