Thursday, June 23, 2005

Oh, those  dangers of outsourcing, part V

Picture credit: Online Sun
Online SunHave a seat. Please. Ready for yet another identity theft debacle? Here's another assault vector: outsourcing, which we also discussed in May.

Following closely on the heels of the Indian call center fraud scandal, the Pakistan telecomm strike, the Bangalore bomb scares at Wipro and Infosys, and various terrorist threats, the offshored backoffice is a dangerous place. And I don't mean just for the workers, but for citizens abroad whose data is handled by firms with questionable vetting practices.

The Sun reports:

Crooked call centre workers in India are flogging details of Britons’ bank accounts, a Sun probe has found. Our undercover reporter was sold the top secret information on a thousand accounts, and numbers of passports and credit cards.

An undercover reporter was able to buy the details thousands of UK banking accounts, password particulars and credit cards numbers from crooked call centre workers in India...

The article isn't online yet, but The Register picks up the story:

The paper says one of its journalists bought details of 1,000 UK banking customers from an IT worker in Delhi for £4.25 each. He was also able to buy the numbers of credit cards and account passwords. An unnamed security expert hired by the paper verified that the details were genuine. The information sold could be readily exploited by ID thieves to apply for credit cards or loans under assumed identities or to simply loot compromised accounts. The call centre worker bragged that he could sell up to 200,000 account details each month.

The Sun handed over a dossier on its investigation to the City of London Police. In a statement, the City of London Police said: "Unfortunately we have no jurisdiction to prosecute this in the UK. However we have passed information through Interpol to the Indian authorities and will be working with them to secure the prosecution of this individual.".

Amicus, the union, said the case highlighted possible data protection risks about moving financial services overseas. "Companies that have offshore jobs need to reflect on their decision and the assumption that cost savings benefiting them and their shareholders outweigh consumer confidentiality and confidence," Dave Fleming, senior finance officer, told the BBC.

For those firms utilizing offshore resources to handle consumer identity data, an alarm claxon just went off. Again.

Update: The eminent Bruce Schneier takes exception with this general viewpoint in his latest post. In a nutshell, his take is that the problem is with people, not offshore/onshore. But a commenter notes differences between the legal framework between countries that can make pursuing remedies noticably different.

And here's another difference. In the U.S., there are accepted standards for employment. A typical call-center worker will be vetted through a standardized background-check process, a drug-screen, and so forth.

Can a firm that offshores consumer data describe the vetting processes of their offshore firm? And the reliability of those doing the vetting?

IMO, it is far riskier to pipe sensitive and valuable data offshore than it is to keep it onshore, all other factors being equal.

No comments: