COMMENT
Recent undercover 'sting' operations reveal how easy it is to purchase customer information from call centres. But that doesn't mean India deserves a bad reputation for data security, says Mark Kobayashi-Hillary. These stunts could happen anywhere.
Last night, the Channel 4 Dispatches programme lifted the lid on what many have long suspected - that offshoring personal data to India is a time bomb waiting to explode.
But is the situation really as bad as Sue Turton's shocking report might suggest? And does India deserve this constant barrage of accusations?
India does seem to get it in the neck, with recent undercover 'stings' by reporters from Australia and the UK, plus this latest documentary causing an immense row.
First let's get something clear upfront. I'm no apologist for India. I have worked in India, written about India and I love the country but I know there are plenty of areas where India could improve its attractiveness to foreign investors. However, one of the areas where we should be learning from the Indians is data protection, so it's disappointing to see such a reputable industry portrayed in this way.
The programme showed investigative reporter Turton pose as a British executive wanting to buy customer information in order to start up a call centre - and that information (names, addresses, credit card numbers) was readily available for purchase.
I can't argue that the report was not disturbing but how many more times do we need to watch or read about such sting operations in India? If you want the information then you can buy it anywhere, including here, Canada, the US and any other supposedly 'safe' country. I suffered identity theft myself last year when my debit card was cloned and £2,000 cleaned out of my account. That wasn't from a call centre thief in Mumbai, it was from a card skimmer in Mayfair.
The second thought that crept into my head as I watched the drama unfold was that the allegations didn't seem to stack up - there was something not quite right. The shady middlemen selling the data could never explain exactly how it had come into their hands other than through 'social engineering', or using call centre agents to call UK mobile phone users and then solicit more personal information than would usually be needed - phishing on the telephone basically.
The stolen data was said to include customers of NatWest - a company that recently used a high-profile TV advertising campaign to shout about the fact that they don't answer calls in India. Clearly the allegations were not centred on data leaking from the call centres of the various banks mentioned - it was more to do with mobile phone customers giving their bank details to an Indian call centre agent who then records and collects the information on the customer regardless of whether their bank uses offshoring or not.
Mphasis was the only Indian contact centre company named in the programme, not as a part of the data theft allegations but because of their well-documented issues a couple of years ago. They have a right to be more than a little miffed over this, as the association with the rest of the programme was tenuous, to say the least.
What wasn't said in the programme was that the Indians take this form of crime seriously and the police will want to see details of those featured in the programme last night, so they can be charged.
The UK regulators know the situation in India well and the industry has been given a clean bill of health in the past. The Financial Services Authority undertook an investigation into standards in India in April 2005 and the Banking Code Standards Board (BCSB) audited eight Indian call centres earlier this year, handling more than one million calls per month from the UK - and gave their green light.
The BCSB report noted: "Customer data is subject to the same level of security as in the UK. High risk and more complex processes are subject to higher levels of scrutiny than similar activities onshore."
The India-bashing must stop. Concern about data security is not limited to any one country and India's record stands up to comparative scrutiny. In 2005, research company Forrester found there were more security breaches in the UK and US than in India. In the past 18 months, according to reports by privacy watchdog groups, the incidents of identity theft in the US alone have been 148 and affected nearly 94 million identities.
In the UK, the Home Office estimates ID thefts result in losses of more than a billion pounds, and a quarter of all UK citizens have either been affected by identity theft or know someone who has been. That should put the issue into context but somehow consumers tend to ignore data theft when it goes on under their noses.
I would argue that we should learn from India. When I go to the contact centres there, they check visitors for phones, cameras, iPods, USB sticks - even pens, pencils and notebooks are banned. Desk phones are not used and the system environment is locked down so the agent can only work on a single customer at a time, with just the information they need for the present transaction available for use. That's the normal environment in any reputable Indian contact centre operating a service where personal data might be used.
Indian call centres know that overseas clients are not entirely comfortable with customer data being processed offshore, so they stop at nothing to give a warm, safe feeling. Further down the food chain the contact centres may not be as reputable or as well managed but then it's the responsibility of the mobile phone companies using the contact centre service to protect their customer information - so they should only be dealing with trusted partners anyway.
The Indians are working on new legislation to directly address cyber crime, the police force is being trained in this area and the industry has set up a national register for staff so it should be easier to vet the career history of those entering the contact centres.
Even so, it's impossible to completely lock down security and eradicate data breaches because people are people. But through strong controls over the people, processes and systems, most of the opportunities to make a fast buck from data theft can be removed.
India is far ahead of us in planning how to operate a service industry with hundreds of thousands of employees accessing personal data on customers. We should start listening to their security ideas before the next major data breach takes place on these shores.
Mark Kobayashi-Hillary is the author of 'Outsourcing to India: The Offshore Advantage' and the forthcoming 'Building a Future with BRICs: The Next Decade for Offshoring'.
Comments
There are 9 comments. Join the discussion
1. Chris Stevens
Predictably the Offshore-phile Silicon.com is quick to roll out the MKH commentary. He says that India is in advance on Data Protection. Yet that country was still formulating its laws at the end of 2004.
If someone in the UK suffers a loss or damages due to the data privacy negligence of an oversea's company there is effectively no redress. The UK Data protection law is much more mature, dating right back to the 10 Younger Principals in 1972 and the Lindop Committee in 1978 These were adopted by the Council of Europe in 1981.
However the data protection issue is a sideline. The UK public do not like offshore call centres because they do not work properly. The companies involved know this because they try to hide the fact that the client's phone call has been directed offshore. The result is that clients have to spend much longer on the phone as a consequence of the comapny "cost savings". There is nothing racial in this view, it is a consequence of poor service.
2. David K
Excellent Article, I have also been to Indian Call Center and they have the same data security process as in US.
3. anonymous
Hi
Lets put things in prespective , manipulation ,adulteration of products is the norm not the exception ( See the cloning and selling below strength drugs , where money is concerned everything is available in the market place. The Indian Judiciary is a joke has he had any experience of dealing with the Judiciary.
The greedy companies here want to save money by locating overseas paying starvation wages there and expect to get in return sterling service
it is a big joke
4. Paul Jacques
"India is far ahead of us in planning how to operate a service industry with hundreds of thousands of employees accessing personal data on customers"
Hmm, far from it, if we are to believe what we read and watch on TV. The truth is that India is a victim of her own success. And with new data centres popping up at a high rate to meet the demand, the temptation is to employ a body first and check them out later (if at all). I already work in an IT industry where a 10 year background check is the norm, can India say the same, because it should.
5. anonymous
Greed has sent us to offshore data bases.it is no use slateing the Indian continent for the worlds greed.Yes if the Indian criminal element see a loop hole they will exploit it.As in any part of the world.I agree it is a time bomb waiting to go off.But the people looking in are so frightened they may be accused of Racism or their potty ideas will come back and kick them
6. David
I would have thought the reason most people are concern about data theft from Indian (or any other foreign) call centres stems from the fact that they are paid so little for the work they do, so the temptation for greed is greater. It’s also still a relatively new industry that is expanding so fast that there are more optunities available for crimals to exploit than in the uk.
Personally I would feel uncountable taking to an India based call centre bank worker, unhappy say with a £20 bank charge which is probably more than that person earns in a week! It is that remoteness that I don’t like.
On the subject of Indian Call Centres in general, I like I’m sure so many of your readers receive numerous calls a week from them, and 90% of tech support lines I call are routed to India. I’m sorry to say but usually my first reaction is to sigh…. I know that in general the call is going to be longer and more painful than needs be, and that the company calling/being called doesn’t really care that much about my custom. The practices operated by the Indian Call Centres Companies in most cases force their staff to tightly follow a script which the operators rarely stray from, and so instead of listening to what your saying they are just ticking each box in there script in order, constantly having to repeat yourself and being read back what you’ve told them: “G for Golf, B for Bertie…” I also don’t like the dishonesty that companies who use the call centres try to make out that they are not in India, or the call centre staff themselves using English names.
7. anonymous
Having had 'cold calls' on my landline from 'offshore' on behalf of a certain 'mobile phone reseller' to lines that have been T.P.S listed & ex-directory for some time. I hardly expected a torrent of racial abuse when I proceeded to politely terminate the call. Perhaps that is the was that 'mobile phone reseller' 'train' their staff. By using aggressive & intimidatory methods when faced with a polite refusal. As reported on various forums & consumer programs.
8. anonymous
Excellent article. Thanks to Mark for putting things in the right perspective. But its surprising to see the reaction of some of the readers. They seem to have confused the industry with the country and most of them are spewing hatred against the country. If the accusations were true, the Indian IT / BPO industry wouldn’t be clocking 30 per cent growth rates.
But some of the anger is understandable with jobs going overseas, but Indians are not stealing your jobs, they are just competing for them and winning them on their own cost and quality merits. Its well proven by numerous studies that the quality coming from Indian call centres / data processing back offices is far higher that what you get in the West.
Finally, Europeans have no reason to be angry. This is what you did to our textile industry 200 years back. You killed our vibrant industry to grow yours and build an Empire on the ruins of our industry. I guess its pay back time after all. It would be worthwhile remembering and recalling that even before your Industrial Revolution started, we were the world’s second largest economy after China. And history, they say, has a nasty habit of repeating itself.
9. anonymous
Security begins at home. It starts with only letting the right people into our country and ends with not sending confidential data to other countries such as India. Our government is learning both these lessons a little late in life.