Banks face prosecution over Indian call centre leak

Banks face prosecution over Indian call centre leak

Summary: A newspaper reporter claims to have bought bank details for 1,000 UK citizens from a call centre worker in India

SHARE:
TOPICS: Security
2

UK banks have been warned they face prosecution for breaching the Data Protection Act after an undercover reporter was sold the bank account details of 1,000 UK customers by a call centre worker in India.

The security leak was discovered following an investigation by a newspaper reporter from The Sun, who was able to buy bank account, credit card, passport and driving licence details of UK bank customers for just £4.25 each.

The call centre worker in New Delhi also told the reporter he could supply confidential data from 200,000 accounts per month. The newspaper handed a dossier with all the details to the City of London police.

Detective Inspector Oliver Shaw of the economic crime unit at City of London Police said in a statement: "Unfortunately we have no jurisdiction to prosecute in the UK so we have passed it through Interpol to the Indian authorities."

A spokesman for data protection watchdog the Information Commission said it is a matter of "great concern" and warned that UK-based companies who outsource their customer services to a call centre whether in the UK or overseas remain legally liable for any security failings.

"It seems likely that a criminal breach of the Data Protection Act 1998 has occurred. We will be contacting the City of London police, as well as taking the matter up with those UK companies whose customers' details have been provided to The Sun," he said.

But banking watchdog the Financial Services Authority (FSA) refused to say whether it would launch any investigation.

An FSA spokeswoman said, "Our concerns are whether adequate security controls were in place but a determined fraudster is always going to get through."

The latest breach could ignite a backlash against the Indian outsourcing industry following the theft of $350,000 from the accounts of US Citibank customers from a call centre in India earlier this year.

But Indian IT trade association Nasscom said these incidents are rare and can happen at call centres regardless of which country they are located in.

A Nasscom statement said: "Nasscom will work with the legal authorities in the UK and India to ensure that those responsible for any criminal breaches are promptly prosecuted and face the maximum penalty. The problem is not unique to any single nation - it is one that affects us all - and each of us has a responsibility to take on the criminals. India, with its strong legal system and its independent judiciary, is a country that takes this responsibility extremely seriously."

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • DATA PROTECTION LAWS ARE SUFFICIENT IN INDIA.

    The proposed change in the Information Technology Act, 2000 for conferring data protection or its separate enactment is not only unwarranted but is equally based on misinterpretation of the provisions of the Indian Copyright Act, 1957 and the TRIPS Agreement.

    The concerns and apprehensions of the MNCs are far-fetched and unwarranted. The TRIPS Agreement and the Copyright Act, 1957 provides sufficient safeguards for preventing violations of databases of MNCs. The data, information and details provided by the MNCs will get the protection of
    anonymous
  • US issue was different. What happened was that the information was on a hard drive which was lost during shipment so it wasnt a case of data being sold. It was a case o hardware going missing.

    Although I do agree the data theft can occur anywhere it is the cost factor that makes it so worthwhile doing it via India as the wages are so low. Hence the fact that you can buy all the information you require for
    anonymous