Banks face prosecution over Indian call centre leak

UK banks have been warned they face prosecution for breaching the Data Protection Act after an undercover reporter was sold the bank account details of 1,000 UK customers by a call centre worker in India.

The security leak was discovered following an investigation by a newspaper reporter from The Sun, who was able to buy bank account, credit card, passport and driving licence details of UK bank customers for just £4.25 each.

The call centre worker in New Delhi also told the reporter he could supply confidential data from 200,000 accounts per month. The newspaper handed a dossier with all the details to the City of London police.

Detective Inspector Oliver Shaw of the economic crime unit at City of London Police said in a statement: "Unfortunately we have no jurisdiction to prosecute in the UK so we have passed it through Interpol to the Indian authorities."

A spokesman for data protection watchdog the Information Commission said it is a matter of "great concern" and warned that UK-based companies who outsource their customer services to a call centre whether in the UK or overseas remain legally liable for any security failings.

"It seems likely that a criminal breach of the Data Protection Act 1998 has occurred. We will be contacting the City of London police, as well as taking the matter up with those UK companies whose customers' details have been provided to The Sun," he said.

But banking watchdog the Financial Services Authority (FSA) refused to say whether it would launch any investigation.

An FSA spokeswoman told silicon.com: "Our concerns are whether adequate security controls were in place but a determined fraudster is always going to get through."

The latest breach could ignite a backlash against the Indian outsourcing industry following the theft of $350,000 from the accounts of US Citibank customers from a call centre in India earlier this year.

But Indian IT trade association Nasscom said these incidents are rare and can happen at call centres regardless of which country they are located in.

A Nasscom statement said: "Nasscom will work with the legal authorities in the UK and India to ensure that those responsible for any criminal breaches are promptly prosecuted and face the maximum penalty. The problem is not unique to any single nation - it is one that affects us all - and each of us has a responsibility to take on the criminals. India, with its strong legal system and its independent judiciary, is a country that takes this responsibility extremely seriously."