From Sky News

A police investigation has been launched after an Indian call centre worker was allegedly caught selling off bank details of British bank customers.

The 24-year-old is said to have sold secret account information of 1,000 people for just £4.25 each.


An undercover reporter from The Sun was said to have been sold account information as well as numbers of passports and credit cards.

The details could help criminals tap into accounts, clone credit cards, buy goods and apply for new bank cards.
The Delhi-based worker also claimed he could obtain the same details for American customers via a network of contacts in centres handling calls for banks.

Among the banks said to be involved are NatWest and Barclays.

But a Barclays spokeswoman said she would surprised if any of its customers were affected as no personal customer information was held in Delhi.

The investigation is being caried out by the City of London Police.

A spokeswoman said: "At this stage we are not fully aware of the breadth of what we are going to be investigating.

"While the allegations made in the dossier are very serious, City of London Police would like to remind people that incidents of this kind are still relatively rare."

If found guilty, the call centre worker could be jailed under India's strict IT laws.

It is just the fact that this is an off shore call centre that makes the Sun so interested. If it was happening in the UK or US then it would only be a small article.

I also heard this before leaving for work this morning.

This is interesting because I would have thought that, like any large banking institution, the outsource firm would have limited access to some of the more security-orientated aspects of customers' details.

For instance, I did a stint at a large internet bank (doing IT stuff) and the restrictions placed on such things as pin codes and the like were very real - even if I'd wanted to, there would have been no way I could have extracted a pin code from a customer record - and I had query-level access on their production Oracle database at the time. This is a *much* greater level of access than most any outsource agent would be given, and yet access to personal details was still restricted.

In this case, I'd look hard at the outsource organisation, but equally I'd point a very accusing finger at the banks in question. Why? Well, if they'd been adhering to the stringent requirements of data protection, the circumstances would simply not arise - access being denied on personal data unless an agent has a 'need to know' - which I suspect he/she didn't.

Anyway, this report originated from The Sun newspaper as I understand it, and that paper is hardly regarded for its high standards of accurate, informed journalism.

John

>>>>> Well, if they'd been adhering to the stringent requirements of data protection, the circumstances would simply not arise


The UK DP laws do not apply overseas and India has yet to legislate on this issue.

>>>>>It is just the fact that this is an off shore call centre that makes the Sun so interested?

Dont think so, overseas outsourcing and its subsequent drop in quality is quite an issue with consumers as current surveys are saying. Quality is the issue they are worrked about.
My guess is The Sun is highlighting it because its a case of 'we told you so' and here it is and its also a 'hot issue' with consumers suffering from poor quality service.



We may not like the Sun fair enough but please lets not overlook factual realities.

Anyway, this report originated from The Sun newspaper as I understand it, and that paper is hardly regarded for its high standards of accurate, informed journalism.

Indeed - it would probably be a safe bet to assume that the information was sort code and account numbers, something you hand out on every cheque you write.

I'm still waiting for the day that we see a positive call centre story in the press.

>>>>I'm still waiting for the day that we see a positive call centre story in the press.

Every call centre that opens provides jobs, thats positive.

Approx 860,000 positives.

The UK DP laws do not apply overseas and India has yet to legislate on this issue.

Wrong.

The UK DP laws do apply overseas when the Data Controller is in the UK. In fact (and as I've said before on this site), the act makes allowance for this in the eighth principle:

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

So the obligation is on the banks to ensure that the data will be kept secure, unless the country is in the EC approved list, which India is not.

In this situation, it is possible for the controller to seek consent of the subject to process overseas without ensuring adequacy. I'd be interested to hear if anyone's banks have worded this into their T&C's (You agree that we may transfer and process your personal information outside the UK...)

Failing that, the best route is to have a contract in place to ensure adequacy. You could get one written, or better still, use the model contracts approved by EC or UK IC: Model contracts

I'm not aware of how strict the OIC have so far proven to be on controllers with such an agreement in place with a processor.

Regards,
db

Further reading:
DPA
OIC discussion on 8th Principle
EU Data Protection website

As Paul mentioned...if it happened in England or America it wouldn't be reported.

He is spot on, Banks are targetted by organised gangs outside of India it just doesn't get noticed because:
1. The banks obviously dont want to publicise anything that affects consumer confidence
2. It goes against covert monitoring to make a big deal when fraud is uncovered
3. It aint that big anyway in the scheme of things - bigger fraud occurs via other routes.

The media wants to do India down in favour of home grown jobs so any little nugget that can be used to drive the wedge will be used.

Was it even a call centre?

Most effective scam merchants could get more than enough info, as described in the article, from a savings account application form. It's more likely to me that someone has been 'liberating' details from forms sent to India for data input than by cracking the database.

http://www.computerweekly.com/Article130076.htm

http://www.forbes.com/business/feeds/afx/2005/06/23/afx2107688.html

Darryl, I agree with you and am aware of this, what I was saying (badly) was that UK DP law doesnt have jurisdiction internationally merely its application in the UK. Please forgive my tendency to use the vernacular I was born in Suffolk and am by nature a carrot cruncher.


I am curious, this has prompted a lot of views/contributions. Why the outrage???

Another story about the wrongs of call centres - whats new?
Another story about security with a technological slant- household paper shredders are very popular buys at the moment because of media interest in ID theft? - whats new?
Another typical consumer interest involving cowboys, we've had the builders, plumbers, European timeshare scams , Euro lotteries, Nigerian Fraud, Barings, now India - whats new?

Perhaps its of its time????

Interested to hear others views on why this has provoked interest.

I heard this one the other day as well,

from my own point of view, I thought it was less to do with the fact that it was an Indian call centre and more to do with the current obsessive interest in identity theft and all that it entails. In turn fuelled by peak time credit card adverts using well known impressionists.

I would have said that this was much more up The Sun's alley than the slightly hackneyed issue of global outsourcing.

But I stand corrected,

Lynne

Humm...

I'm now really really sceptical..

Passport, Driving Licence details, Phone Numbers AND Passwords.

When was the last time a bank asked for your Passport number?

ARTICLE LINK

According to The Sun, the information, which includes addresses, passwords, phone numbers and driving license and passport details, was purchased for £3 per customer.

Yeah right.......

DaveA

Could it be that this person was also defrauding the people that were buying details from him, If you asked me for an address I can get a valid one for free from Royal mails website, a phone number from the phone book.yellow pages, driving licence( only the DVLA would be able to definately validate) Passport number, variation of one number could give you thousands of passport numbers.

Whilst this might sound a bit far fetched, it is not unbeleivable, for example somebody sold london bridge to some americans, but just didn't mention that it wasn't the one that spans the Thames??

If this person was using the internet, its quite possible that he was giving false info

There is one very well known bank whose Fraud detection systems are sooooh good that you need to ring them up before you go abroad because the chances are the first time they go for authorisation the system will flag potential fraud. I imagine this has come about because some poor misfortunate has either been banged up because the authorisation went through a third party and no-one could connect the customer with the issuer to validate a real purchase or it was a celebrity who got embarrassed.

In my statement this month was an explicit request that I ring up and tell them when I am going abroad. Cynical head on now, or it is a good excuse to get you to ring so they can sell you things.

Whilst this might sound a bit far fetched, it is not unbeleivable, for example somebody sold london bridge to some americans, but just didn't mention that it wasn't the one that spans the Thames??

I think they thought they were buying Tower Bridge rather than the
old London Bridge.

However I can sell you one used Taj Mahal, one careful owner......

There's always THIS ONE

Caveat Emptor...

DaveA

I can get me hands on a nice little place just of the isle of bermuda.....

just make a payment of $500,000 to my caymen account no 11111-2390934-300

I'll put the deeds and maps with directions in the post on completion of money transfer ;op

This story has moved on

BBC News Link

I must admit I am very sceptical about the FSA's position.


>>>>However the UK's own Financial Services Authority said last month that there was no evidence that the danger in India was greater than in British call centres.


Any comments anyone??






Edited to make link clickable DA 27/07/05