An undercover investigation by The Sunday Times recently reported data is being sold by "corrupt Indian call centre workers" to cyber criminals and marketing firms. The report said that two Indians, claiming to be information technology workers at call centres, met undercover reporters and boasted of having 45 different sets of personal information. The data included names, addresses and telephone numbers of credit-card holders, as well as the cards' start and expiry dates and three-digit security verification codes. Other information being offered related to mortgages, loans, insurance, mobile phone contracts and Satellite Television subscriptions.
The most alarming aspect of this case is the ease with which it would appear call centre staff were able to misuse confidential information. While no organisation can completely safeguard against insider threats, measures can be taken to reduce the possibility of data misuse by insiders and mitigate access risk.
In this instance the selling of personal data could have been prevented or detected at an early stage had the call centres' IT staff had effective systems in place to control and monitor user access to confidential information. Such access risk management systems should be capable of controlling who is accessing customer data, how it is being used, where and when. Specific restrictions for copying confidential data onto memory sticks or other external devices or disabling access to such information from specific locations or at certain times could have been implemented.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
