Media reports have disclosed that call centre staff have sold credit-card details and patient records to third parties.
According to a report in the Times of India, Indian call centres are selling on the confidential personal data, including credit-card details and medical records, of more than 500,000 Britons.
An undercover investigation by The Sunday Times found that the data is being sold by "corrupt Indian call centre workers" to cyber criminals and marketing firms. The report said that two Indians, claiming to be information technology workers at call centres, met undercover reporters and boasted of having 45 different sets of personal information.
The data included names, addresses and phone numbers of credit-card holders, and the cards' start and expiry dates and three-digit security verification codes. Other information being sold on related to mortgages, loans, insurance and mobile phone contracts.
The Daily Mail claimed that the information is being sold for as little as 2p, and one of the consultants met the undercover reporters in a hotel room in a town near Delhi, carrying a laptop full of data.
Bill Morrow, executive chairman of Quarri Technologies, said: “As businesses continue to outsource services in an effort to reduce costs, business partners, including third-party service providers, need to ensure that customer information is not copied, transferred or stolen.”
Marc Lee, EMEA sales director at Courion, said: “What's most alarming about this case is how easy it seems for call centre staff to misuse confidential information. While no organisation is completely safeguarded against insider threats, a lot could be done to reduce the possibility of data misuse by insiders and mitigate access risk.
“In this case the selling of sensitive data could have been prevented or detected at an early stage had the call centres' IT staff had effective systems in place to control and monitor user access to confidential information. Such access risk management systems should be able to control who is accessing customer data, how it is being used, where and when.
“Another effective measure to prevent insider threats would be to implement specific restrictions for copying confidential data onto USBs or other external devices, or disabling access to such information from specific locations or at certain times.”