[ISN] Insecurities over Indian outsourcing

InfoSec News isn at c4i.org
Wed Apr 27 01:23:40 EDT 2005


By Ed Frauenheim 
Staff Writer, CNET News.com
April 26, 2005

A case of bank fraud involving an India-based outsourcer has rekindled
a debate about using overseas contractors for tasks involving
sensitive data.

Some say there's little risk, while others warn of serious hazards,
including a threat to America's national sovereignty.

In the incident, former call center employees of Mphasis are accused
of taking part in a theft of $350,000 from U.S. consumers' bank

In the wake of the theft, some observers have voiced concerns about
the security of data being handled by outsourcers in India, including
worries about weak procedures for checking employee backgrounds.  
According to this school of thought, the Mphasis breach could
dramatically dent the amount of call center work shipped to
outsourcers operating offshore.

"This was not a lapse of judgment or an issue of poor customer
service: The incident was an organized and systematic plot to steal
customers' money," John McCarthy, an analyst at Forrester Research,
wrote recently. "Forrester believes that this breach, coupled with
recent onshore disclosures of sensitive customer data, will have
far-reaching negative connotations for the offshore BPO (business
process outsourcing) space."

Not everyone shares this view. But even the perception of danger could
hurt the market.

A report from rival researcher Gartner played down the security risks
but made no bones about the seriousness of the situation. "The entire
Indian offshore industry ecosystem--including...the Indian
government--must act quickly and decisively to counter the perception
that Indian BPO poses a severe security risk," the report said.

Business process outsourcing, or BPO in industry parlance, refers to
farming out tasks such as customer service and transaction processing
to a separate company. The work could be done in the United States, or
completed in lower-wage countries such as India or Mexico. In
addition, some organizations have set up their own operations
offshore. Shipping tasks offshore has become a controversial issue for
U.S. labor advocates.

At the moment, U.S. organizations devote only a small fraction of
their budgets for information technology services--including BPO--to
low-cost countries, according to a recent Merrill Lynch survey of
chief information officers. But that share of the budget is expected
to grow over time, from 0.9 percent in 2004 to 1.6 percent in
two-to-three years.

According to the Merrill Lynch report, security fears are the main
reason CIOs aren't moving IT work offshore faster: The "key inhibitor
preventing companies (from using) offshore outsourcing remains data
security," the report said.

Earlier this month, news broke that police in India arrested three
former Mphasis call center employees who allegedly stole U.S.  
customers' personal account information and transferred about $350,000
to fake accounts in Pune. Among other people arrested in the case was
a current Mphasis call center worker, said Mphasis Vice Chairman
Jeroen Tas. He said the perpetrators may have persuaded bank customers
to disclose their account passwords.

A Times of India story cited unnamed sources in pegging Citibank as
the bank in question. Citibank did not return a call requesting
comment. Mphasis declined to comment on the identity of the bank.  
Mphasis, which has operations in India, China and Mexico, is led by
former Citibank executives.

The Indian arrests come during a period of heightened anxiety about
data security and identity theft.

In one of the latest examples, LexisNexis revealed that an intrusion
into its Seisint databases may have compromised personal information
on about 310,000 Americans, a tenfold increase on a previous estimate.

In 2003, the San Francisco Chronicle reported allegations that a woman
in Pakistan doing clerical work for the University of California at
San Francisco Medical Center had threatened to post patients'
confidential files online unless she was paid more money.

But most of the criticism of so-called offshoring has focused on other
matters, such as service quality and communication problems.

Data security at companies providing call center services offshore is
indeed an issue, however, according to industry observers. Checking
into the credit and criminal backgrounds of employees is not as
reliable in India as it is in the United States, said Vail Dutto,
chief executive of InTelegy, a California-based consulting firm. Among
other services, InTelegy helps clients choose call center outsourcers
in India. Dutto said Indian methods for tracking a person's past are
not as mature as those in the United States, where an individual's
misdeeds in one state are likely to turn up when the person applies
for a job in another.

"What you did in Bangalore might not as easily follow you to Mumbai,"  
Dutto said.

Mphasis' Tas agreed that checking the backgrounds of employees in
India is more difficult than in the United States. "It is harder to
track that," he said. But the background-checking process for call
center employees and other BPO workers in India could improve, Tas
said, thanks to plans by the country's National Association of
Software and Service Companies, or Nasscom, to set up a national
registry of BPO workers.

Another concern is employee attrition. Thanks partly to the perception
that BPO work amounts to a dead-end job, attrition rates have been
increasing in India. Higher turnover works against efforts by call
center companies to run a tight ship, argues Forrester Research
analyst McCarthy.

"Forrester expects that the rising attrition rates in the call center
space--50 percent to 100 percent--undermine suppliers' ability to
adhere to processes and sufficiently check backgrounds," McCarthy
wrote in his report earlier this month.

McCarthy also suggested the Mphasis breach will seriously hurt the
offshore BPO business. "Call center BPO growth could drop by as much
as 30 percent," he wrote.

Tas called the Forrester report "sensational." He said Mphasis' annual
turnover among BPO employees was in the range of 30 percent to 40
percent, and he said that level is not unusual for call centers

In a statement made on April 13, Mphasis said it "highly values data
protection and data security of its clients. It has proactively
instituted elaborate systems which are constantly reviewed, to ensure
and protect client confidentiality."

Among its rules, Tas said, are that cell phones aren't allowed in call
centers, given the ability of some of them to take pictures. In
addition, between 2 percent and 5 percent of calls are monitored at
Mphasis BPO facilities. This is consistent with the norms in the
industry, according to the company.

Tas said the alleged fraud is not a sign of security problems specific
to shipping call center work overseas. "We believe this is something
that can happen anywhere," he said.

But losing control of sensitive data abroad is particularly worrisome,
argues Peter Gregory, chief security strategist at consulting firm
VantagePoint Security.

"Outsourcing America's corporate business processes to overseas
countries not only makes accountability difficult to enforce, but it
puts our national sovereignty at risk," Gregory said in a statement.  
"In this, the Information Age, a country like India could disconnect
itself from the Internet and hold America hostage--a provocative
action that would be tantamount to an act of war."

In its report earlier this month, Gartner offered a much less grave
assessment. The idea that offshore business process outsourcing
presents special risks is a "largely incorrect perception," the firm

But Gartner and others seem concerned the perception alone could
torpedo the industry. In a statement earlier this month, Mphasis
appeared to acknowledge the fraud could have a potentially large
impact on India's BPO industry.

"We have instituted our own internal inquiry and taken necessary
short-term and long-term measures in consultation with Nasscom and the
bank concerned, to protect our clients and their customers, and
safeguard the security and integrity of the BPO business in India," an
Mphasis representative said in the statement.

Some see a silver lining for offshoring in the fraud case. Tas said
the response by police in India shows that the system of laws and law
enforcement in India "works well, and it works swiftly."

"India is fast becoming the outsourcing capital of the world, and this
kind of incident, while unfortunate in itself, when successfully dealt
with, highlights and reaffirms the existence of an effective framework
of laws and a commitment to enforcing them in India," Nasscom
President Kiran Karnik said in a statement.

Nasscom has set up an Indo-U.S. security forum to make its members
aware of security and privacy issues when they handle sensitive
information from foreign companies. Nasscom also recently launched a
security initiative in Pune with local IT companies and police.

That may not be enough to satisfy the public, however. Earlier this
month, Sen. Dianne Feinstein, a California Democrat, introduced
legislation to ensure that Americans are notified when their most
sensitive personal information is part of a data breach that puts them
at risk of identity theft.

Politicians in India as well would be wise to act, McCarthy argues.  
"To bolster its offshore credibility, India will also have to tighten
its data protection and privacy laws," he wrote in his report.

He also suggests that companies sending tasks offshore take an active
role in managing their remote work, even going so far as to mandate
pencil-free offices: "Customers are going to have to implement their
own aggressive requirements, such as eliminating writing instruments
in their offshore centers."

More information about the ISN mailing list