According to the Daily Mail an undercover investigation in India has uncovered that some call center workers have been selling confidential information on nearly 500,000 Britons.
Undercover reporters from The Sunday Times met with two individuals who claimed to be IT workers who offered to provide them with 45 different types of data gathered from the victims.
Information offered up included names, addresses, phone numbers and credit card details (including CCV/CVV codes and expiration dates).
The reporters allege they could purchase the records for as little as 2 pence apiece ($0.03 USD). One of the
IT workersthieves bragged:
"These [pieces of data] are ones that have been sold to somebody already. This is Barclays, this is Halifax, this is Lloyds TSB. We’ve been dealing so long we can tell the bank by just the card number."
They claimed to have information on mortgages, loans, insurance policies, mobile phone contracts and television subscriptions. Much of the information was “fresh”, or less than 72 hours old.
Indian authorities claim it is difficult for them to police the situation as many of the companies contracting for services at Indian call centers are unwilling to go public or admit that their customers data has been compromised.
Aside from investigating the individuals committing these crimes, there are technological solutions that could minimize these types of mass thefts.
While corrupt workers could still scratch down details on paper, it would prevent the mass exfiltration of data. I imagine the US Department of Defense started considering this more seriously after the stolen cables showed up on WikiLeaks.
What can be done? Device control is a good start. Don’t allow unauthorized USB storage devices to be mounted, DVDs to be burned or bridging of WiFi devices onto sensitive networks.
Data leakage prevention (DLP) is another great way to be sure no one is attempting to email the corporate jewels to their Gmail account.
Of course if your company is considering outsourcing potentially sensitive responsibilities to an outside firm, be sure they are using these techniques and monitoring employee access to data.
The same list of requirements should be used as if you were planning to move sensitive data to the cloud. In essence “the cloud” is just another name for outsourcing in most cases.
The money you may think you are saving will quickly vanish if you are responsible for the fallout of your partners losing (or selling) your customers personally identifiable information (PII).