UK banks have been warned they face prosecution for breaching the Data Protection Act after an undercover reporter was sold the bank account details of 1,000 UK customers by a call centre worker in India.
The security leak was discovered following an investigation by a newspaper reporter from The Sun, who was able to buy bank account, credit card, passport and driving licence details of UK bank customers for just £4.25 each.
The call centre worker in New Delhi also told the reporter he could supply confidential data from 200,000 accounts per month. The newspaper handed a dossier with all the details to the City of London police.
Detective Inspector Oliver Shaw of the economic crime unit at City of London Police said in a statement: "Unfortunately we have no jurisdiction to prosecute in the UK so we have passed it through Interpol to the Indian authorities."
A spokesman for data protection watchdog the Information Commission said it is a matter of "great concern" and warned that UK-based companies who outsource their customer services to a call centre whether in the UK or overseas remain legally liable for any security failings.
"It seems likely that a criminal breach of the Data Protection Act 1998 has occurred. We will be contacting the City of London police, as well as taking the matter up with those UK companies whose customers' details have been provided to The Sun," he said.
But banking watchdog the Financial Services Authority (FSA) refused to say whether it would launch any investigation.
An FSA spokeswoman said, "Our concerns are whether adequate security controls were in place but a determined fraudster is always going to get through."
The latest breach could ignite a backlash against the Indian outsourcing industry following the theft of $350,000 from the accounts of US Citibank customers from a call centre in India earlier this year.
But Indian IT trade association Nasscom said these incidents are rare and can happen at call centres regardless of which country they are located in.
A Nasscom statement said: "Nasscom will work with the legal authorities in the UK and India to ensure that those responsible for any criminal breaches are promptly prosecuted and face the maximum penalty. The problem is not unique to any single nation - it is one that affects us all - and each of us has a responsibility to take on the criminals. India, with its strong legal system and its independent judiciary, is a country that takes this responsibility extremely seriously."
Talkback
DATA PROTECTION LAWS ARE SUFFICIENT IN INDIA.
The proposed change in the Information Technology Act, 2000 for conferring data protection or its separate enactment is not only unwarranted but is equally based on misinterpretation of the provisions of the Indian Copyright Act, 1957 and the TRIPS Agreement.
The concerns and apprehensions of the MNCs are far-fetched and unwarranted. The TRIPS Agreement and the Copyright Act, 1957 provides sufficient safeguards for preventing violations of databases of MNCs. The data, information and details provided by the MNCs will get the protection of ‘Data Property” if the same involves intellectual creations within the meaning of Article 10(2) of the TRIPS Agreement. If they fail to satisfy the requirement of Article 10(2), still they will be protected as copyright. The brightest and the positive aspect of this situation is that even non-data items are also protected, both under the TRIPS Agreement and the Copyright Act, 1957. Thus, the MNCs should concentrate on their “business initiatives” rather than wasting their resources and time on unnecessary concerns.
(See http://perry4law.blogspot.com/2005/05/mandates-of-wto.html for more details).
It must be appreciated that it is not the “enactment” of a law but the desire, will and efforts to accept and enforce it in its true letter and spirit, which can confer the most strongest, secure and safest protection for any purpose. The enforcement of these rights requires a “qualitative effort” and not a “quantitative effort”. The “enforcement” problem cannot be “bypassed” and “labeled” as inadequacy of data protection laws in India. For instance, if we do not enforce the provisions of Copyright Act, 1957 or the Trade Marks Act, 1999, properly, then we can again argue that these Acts need to be amended to accommodate the wishes of MNCs. Any objection of lack of data protection laws in India is raised only due to the ignorance of the availability of data protection laws in India.
India has a sound cyber law regime and both paper based and electronic form data can be effectively and legally protected in India. Any objection regarding “insufficient” cyber law or Data protection law is only a misconception and ignorance of law in this regard.
Now recently about 40 million credit/debit card particulars were reported to have been compromised in USA. This is a serious lacuna in data security amongst BPOs in USA. Surprisingly, none raised any hue and cry regarding insufficient Data Protection laws in US.
It seems the difference between “Data protection laws” and their “enforcement” is not clear to the persons agitating against insufficient data protection laws in India. India has sufficient data protection laws and these laws only require sound techno-legal enforcement.
The bottom line is that none can stop a determined and commited offender from commiting a crime. It may be commited any where, including India.
US issue was different. What happened was that the information was on a hard drive which was lost during shipment so it wasnt a case of data being sold. It was a case o hardware going missing.
Although I do agree the data theft can occur anywhere it is the cost factor that makes it so worthwhile doing it via India as the wages are so low. Hence the fact that you can buy all the information you require for £4.50. Other cases of data theft have been reported in the US but to get it required a lot more bribery money. This makes the cost of acquiring the info more expensive and not as rewarding.
If the Indian law is sufficient to protect the data then they have to inform the IT workers at call centres of the fact. To illiminate the possiblity of selling data they can implement thin clients which gives them no chance to save the data on a device for transfer off site.