Symantec said on Tuesday that it is looking into allegations that a call centre in India leaked credit-card numbers of its customers to someone who then sold them to BBC News reporters in an undercover investigation.
The company has informed UK privacy authorities, plus attorneys general and officials in eight US states and Puerto Rico, of the allegations that three UK customers had credit-card information leaked and that about 200 US customers may have been affected because of interactions with the call centre, said Symantec spokesman Cris Paden.
"We nailed it down to one agent at the call centre [who handled the Symantec customers]", he said. That agent was put on administrative leave pending the investigation, he added.
In addition to Puerto Rico, the states contacted were: New Hampshire, Maryland, New Jersey, Maine, Massachusetts, New York, Virginia and North Carolina, Paden said.
It was unclear how the data of the three UK customers went from the call centre into the hands of the man whom the BBC News said sold the credit-card numbers. Nor was it clear whether any data from the US customers had been leaked. Paden said there was no evidence any US data was exposed.
In a letter to New Hampshire attorney general Kelly Ayotte, dated 24 March, the security vendor said it was "investigating a potential security incident involving a small number of customers' credit-card information".
The letter said Symantec was sending a notice to an unnamed customer in New Hampshire who may have been affected by the alleged incident, even though the company does not believe a security breach as defined by New Hampshire statue had occurred.
The company said even though it has no evidence that the credit-card information of any US residents was compromised, it was offering its customers one year of identity-protection services through Debix as a precautionary measure, and reviewing its "security processes and third-party vendor protocols".
BBC News reported on 19 March that undercover reporters posing as fraudsters had gone to Delhi to buy 50 credit-card numbers, at $10 a card, from a man who claimed to have obtained them from a call centre. They filmed the interaction. The man denied any wrongdoing, the BBC said.
When the reporters contacted some of the card owners, three of them said they had bought Norton software from Symantec over the phone using their cards. The purchases were found to have been made within hours of each other and the numbers were sent to the BBC shortly thereafter, the report said.
Symantec has set up an email address for customers to contact to get more information at global_purchase_query@symantec.com.
The BBC was criticised recently for purchasing a botnet and using it in some tests to show the dangers web surfers face.
The Wall Street Journal was first to report on the Symantec letters to officials on Tuesday.
Talkback
While economically sound on costings, to put such information in the hands of comparatively poor 3rd world operators is somewhat irresponsible.
The information available to such call centre operators, regardless of location, should be limited to make it unusable on it's own.
There must always be one level of access information that is not available to call centre operators.