Forget hackers, Indian call center workers may be stealing your financial data

Undercover reporters offered data on debit cards, mortgages, credit and other intimate customer info

Hackers and hacktivists may be responsible for more data breaches than insiders, cybercrimes may be getting easier to commit –according to the FBI, at least – and the Internet may have become such a bad neighborhood that it requires not one, but two oppressively harsh, unrealistically broad bills in Congress to combat it.

That doesn't mean light fingers have no place in the world of crime anymore; even crime involving identity and data theft.

According to a story in the U.K.'s Daily Mail, workers at several call centers in India have been making money on the side by recording as many as 45 separate points of data on half a million British customers and selling them for as little as two pence per record.

The information includes names, debit and credit-card numbers (along with expiration dates and CCV/CVV codes), medical and financial records.

Reporters from the Sunday Times uncovered the scheme by going undercover as buyers. Two men calling themselves "IT consultants" claimed to have been selling the information for so long they could tell which banks issued a credit card simply by looking at the number.

They said they could also get data on mortgages, loans, insurance policies, cell-phone contracts and other accounts, most less than 72 hours old.

Their sources, they said, were call-center workers who were paid to "exfiltrate" data from their offices, most of which served as outsourced customer- or technical-support centers for, in this case, British businesses.

The story gave no indication the corruption included U.S. businesses as well as those in the U.K., but there is no reason to believe only British companies would be targeted.

Both U.S. and British businesses frequently hire call-centers and other technical-services companies in India to handle human-labor-intensive work that would be more expensive if it were done at home due to higher relative salaries and overhead costs in Western countries.

The "consultants" gave no indication of how call-center workers were sneaking the data out, but security vendor Sophos' NakedSecurity newsletter noted they could be doing anything from writing it down on scraps of paper to downloading it en mass onto USB flash drives, MP3 players or other small portable devices.

Indian government sources said enforcement agencies try to investigate reports of corruption, but are hindered by the reluctance of any of the call-center companies to admit their employees had been stealing information belonging to the customers of clients.

Call centers are a $5 billion-per-year business in India, employing about 330,000 workers.

Despite the tiresome reflex of some U.S. law-enforcement agencies to blame every act of cybercrime on Anonymous or nameless "hackers," there is no firm evidence that any of corrupt Indian workers stealing data to supply identity thieves are members of any Western hacktivist movements.

If they're writing the data down on paper, what they're doing might not even be considered cybercrime. Just plain old "crime," which is the way it should be prosecuted in the first place.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies