Data theft scandal - what we can learn from India
Opinion: It has much to teach us in terms of security
Recent undercover 'sting' operations reveal how easy it is to purchase customer information from call centres. But that doesn't mean India deserves a bad reputation for data security, says Mark Kobayashi-Hillary. These stunts could happen anywhere.
Last night, the Channel 4 Dispatches programme lifted the lid on what many have long suspected - that offshoring personal data to India is a time bomb waiting to explode.
But is the situation really as bad as Sue Turton's shocking report might suggest? And does India deserve this constant barrage of accusations?
India does seem to get it in the neck, with recent undercover 'stings' by reporters from Australia and the UK, plus this latest documentary causing an immense row.
First let's get something clear upfront. I'm no apologist for India. I have worked in India, written about India and I love the country but I know there are plenty of areas where India could improve its attractiveness to foreign investors. However, one of the areas where we should be learning from the Indians is data protection, so it's disappointing to see such a reputable industry portrayed in this way.
The programme showed investigative reporter Turton pose as a British executive wanting to buy customer information in order to start up a call centre - and that information (names, addresses, credit card numbers) was readily available for purchase.
I can't argue that the report was not disturbing but how many more times do we need to watch or read about such sting operations in India? If you want the information then you can buy it anywhere, including here, Canada, the US and any other supposedly 'safe' country. I suffered identity theft myself last year when my debit card was cloned and £2,000 cleaned out of my account. That wasn't from a call centre thief in Mumbai, it was from a card skimmer in Mayfair.
The second thought that crept into my head as I watched the drama unfold was that the allegations didn't seem to stack up - there was something not quite right. The shady middlemen selling the data could never explain exactly how it had come into their hands other than through 'social engineering', or using call centre agents to call UK mobile phone users and then solicit more personal information than would usually be needed - phishing on the telephone basically.
The stolen data was said to include customers of NatWest - a company that recently used a high-profile TV advertising campaign to shout about the fact that they don't answer calls in India. Clearly the allegations were not centred on data leaking from the call centres of the various banks mentioned - it was more to do with mobile phone customers giving their bank details to an Indian call centre agent who then records and collects the information on the customer regardless of whether their bank uses offshoring or not.
Mphasis was the only Indian contact centre company named in the programme, not as a part of the data theft allegations but because of their well-documented issues a couple of years ago. They have a right to be more than a little miffed over this, as the association with the rest of the programme was tenuous, to say the least.
What wasn't said in the programme was that the Indians take this form of crime seriously and the police will want to see details of those featured in the programme last night, so they can be charged.
The UK regulators know the situation in India well and the industry has been given a clean bill of health in the past. The Financial Services Authority undertook an investigation into standards in India in April 2005 and the Banking Code Standards Board (BCSB) audited eight Indian call centres earlier this year, handling more than one million calls per month from the UK - and gave their green light.
The BCSB report noted: "Customer data is subject to the same level of security as in the UK. High risk and more complex processes are subject to higher levels of scrutiny than similar activities onshore."
The India-bashing must stop. Concern about data security is not limited to any one country and India's record stands up to comparative scrutiny. In 2005, research company Forrester found there were more security breaches in the UK and US than in India. In the past 18 months, according to reports by privacy watchdog groups, the incidents of identity theft in the US alone have been 148 and affected nearly 94 million identities.
In the UK, the Home Office estimates ID thefts result in losses of more than a billion pounds, and a quarter of all UK citizens have either been affected by identity theft or know someone who has been. That should put the issue into context but somehow consumers tend to ignore data theft when it goes on under their noses.
I would argue that we should learn from India. When I go to the contact centres there, they check visitors for phones, cameras, iPods, USB sticks - even pens, pencils and notebooks are banned. Desk phones are not used and the system environment is locked down so the agent can only work on a single customer at a time, with just the information they need for the present transaction available for use. That's the normal environment in any reputable Indian contact centre operating a service where personal data might be used.
Indian call centres know that overseas clients are not entirely comfortable with customer data being processed offshore, so they stop at nothing to give a warm, safe feeling. Further down the food chain the contact centres may not be as reputable or as well managed but then it's the responsibility of the mobile phone companies using the contact centre service to protect their customer information - so they should only be dealing with trusted partners anyway.
The Indians are working on new legislation to directly address cyber crime, the police force is being trained in this area and the industry has set up a national register for staff so it should be easier to vet the career history of those entering the contact centres.
Even so, it's impossible to completely lock down security and eradicate data breaches because people are people. But through strong controls over the people, processes and systems, most of the opportunities to make a fast buck from data theft can be removed.
India is far ahead of us in planning how to operate a service industry with hundreds of thousands of employees accessing personal data on customers. We should start listening to their security ideas before the next major data breach takes place on these shores.
Mark Kobayashi-Hillary is the author of 'Outsourcing to India: The Offshore Advantage' and the forthcoming 'Building a Future with BRICs: The Next Decade for Offshoring'.