Confidential data from a New York company that had been entrusted to Mumbai-based BPO Epicenter Technologies Pvt Ltd was compromised recently, the Economic Times reported on Tuesday. An FIR was filed by SJ Amin, a senior manager in the BPO’s human resources department, which said the email accounts of the New York-based debt recovery company,  used to communicate with clients, were illegally accessed from outside the BPO. One of the email addresses was allegedly accessed by a rival BPO company. According to the FIR, five employees of the BPO were given four confidential email IDs and passwords of the New York firm so that they could communicate with clients on behalf of the company. But in April, officials at the BPO learnt that the email accounts had been accessed from other computers and their passwords had been changed. The BPO officials then informed the police and filed a complaint.

The report said under the terms of an April 2018 agreement between Epicenter Technologies and the New York firm, confidential data could not be accessed or used from outside the BPO.  But Epicenter gave one of its employees, who had access to the four email accounts, a laptop that contained a list of the NY firm’s clients, their email IDs and other confidential information. This employee has since left the BPO but has not returned the laptop. Given the alleged role of a competing BPO, police are also investigating whether this is a case of corporate espionage. A case has been registered against unknown persons under sections 43A (compensation for failure to protect data), 66C (identity theft), 66D (cheating by personation by using computer resource) and 72A (disclosure of information in breach of lawful contract) of the Information Technology Act.

Protecting customers’ data at BPOs

BPOs, due to the nature of their work, have troves of data on their clients’ customers. Safeguarding it, both from internal and external breaches, is a basic requirement. But the recent past, customers’ confidential data has been misused by BPO workers themselves. Here are a couple of such cases:

  • In 2016, more than 15,000 victims in the US lost ‘hundreds of millions’ of dollars to a scam run by tele-callers from Mumbai. In addition, more than 50,000 individuals had had their personal information misused, the New York Times reported. The tele-callers impersonated Internal Revenue Service or immigration officials on the phone and threatened arrest, deportation, or other penalties if the victims didn’t pay their debts via prepaid cards or immediate wire transfers. Sagar Thakkar, aka ‘Shaggy’, was the mastermind behind the scam. The US Department of Justice had charged 61 people and entities linked to the scam, and sentenced 24 of them in July 2018. Most of the people convicted were of Indian origin.
  • In January 2016, the Financial Times reported (paywall) that three people were arrested from a call centre in Kolkata misusing data of TalkTalk customers to make scam calls. TalkTalk is a telecommunications company based in the UK that made use of the Wipro-run call centre in question. TalkTalk said that call centre agents only had access to ‘narrow slices’ of information of its customers.