It started off as the business process outsourcing (BPO) industry's worst nightmare come true. Three customer service agents of call centre contractor MphasiS BFL, working on the Citibank account, gained the confidence of four US customers and obtained their PIN numbers and other classified account information. They then used these to transfer money out of those customers' accounts and into the accounts of members of their gang. Could this security breach have a ripple effect far beyond MphasiS BFL and seriously erode international confidence in India as an outsourcing hub?
By quickly apprehending the 16 persons accused of stealing the $426,000, the cyber crime unit of the Pune police appears to have accomplished more than what was strictly required in its line of duty. The swift operation has woken up a large section of the US population, generally afflicted by the Middle Kingdom mindset, that India is not exactly the dark badlands. Some of them have been pleasantly startled to learn that Pune, a place they had never heard of, has a police force which has a cyber crime unit.
With this, the anti-outsourcing lobby in the US—its election funding gone down the drain with John Kerry's defeat—seems to have missed out on another opportunity. There was some noise initially and one columnist tried to put alleged encounter killings by India's police force out of context and portray the country as lawless. But that's about it. Citibank, for one, says it is not changing its relationship with MphasiS and has no plan to cut outsourcing to India.
"The US firms are not holding this incident against Indian companies," said Howard A. Schmidt, CEO, R&H Security Consulting, and former cyberspace security advisor to the White House, at an Indo-US Cyber Security Forum organised by the CII in New Delhi.
What has helped put things in perspective for the US—which provides about $9 billion in business, 70 per cent of the total, to India's BPO industry—is that it is not a stranger to hi-tech heists. Data collator ChoicePoint has suffered thieves who opened up 40 accounts, took out vast amounts of data on 1,45,000 customers and defrauded at least 750 over the course of a year. Ohio-based dsw Shoe Warehouse has said that more than 1,00,000 customers of a shoe store chain have been affected by a cyber break-in of the company's database. London-based Reed Elsevier, which owns LexisNexis, has revealed that criminals may have breached computer files containing personal information of 3,10,000 people since January 2003. Data apparently stolen from clothing retailer Polo Ralph Lauren is forcing banks and credit card issuers to notify thousands of consumers that their credit card information may have been exposed. HSBC North America has begun notifying holders of its General Motors-branded MasterCard that criminals may have obtained access to their credit card information. "The problem is not India-specific. It's global," says Anthony Teelucksingh, an official at the computer crime and intellectual property section of the US department of justice.
In comparison to the US, the Indian BPO industry has had a largely uneventful run, barring stray incidents. Two years ago, a waiter in a Hyderabad hotel was caught noting down the guests' credit card numbers and expiry dates and selling the information for Rs 200 apiece. The same year, a programmer for Geometric Software Solutions tried to sell a US client's intellectual property but was arrested. In the Suhas Katti case, the accused was convicted in just seven months for posting obscene and defamatory information on a Yahoo message group about a divorced woman he wanted to marry.
"The Pune case has further shown that India takes this thing very, very seriously—that these things can happen anywhere in the world but the Indian system works," says Jeroen Tas, vice-chairman and co-founder, MphasiS.
At one level, the Pune case is exasperating. It has taken place despite every self-respecting BPO outfit securing itself like Fort Knox. Employees have to swipe ID cards through a reader, empty their pockets and bags, and deposit cellphones, PDAs, pens and notebooks into lockers. Almost every piece of paper with ink on it is shredded at the end of a shift. Visitors have to fill forms promising not to divulge anything they may see or hear. At Wipro Spectramind, even the CEO's bags are checked when he leaves office.
Computer terminals at several BPOs lack hard drives, CD-ROM drives, e-mail, or any other facility to store data or communicate. Video cameras watch over cubicles. Every phone conversation is recorded and can be monitored on a system that costs $1,000 per worker. To prevent disgruntled former employees from stealing data (which happened in Pune), MphasiS can cut an employee off completely three minutes after the resignation.
Still, to an extent, the industry will remain vulnerable. It is so new, best practices are still evolving, and the attrition rates hover between 60 and 80 per cent. To compound matters, the average employee age is 22-24. For most, it's their first job. And many of them are used to sharing passwords with family members who share internet accounts.
When recruiting, BPOs make it a point to verify addresses, some even have police verification and character checks done. But what can you do when some employees, when they want to quit, simply stop reporting for work, not caring to return their access cards? And what can you do if customers willingly part with personal identification numbers, as they did in the MphasiS-Citibank case?
"We are exploring whether it is possible to expand the psychometric tests (which now look at whether the prospective employee is a good salesperson or is likely to stay with the company for long) to assess the bent of mind, see if it is clean or not," says Sunil Gujral of Wipro Spectramind.
Nasscom is pushing a scheme under the formidable name of Fortress India to keep track of the entire BPO workforce. "We must also look at laws to make sure there are no loopholes and that laws across the world have synchronicity," says Nasscom chief Kiran Karnik.
Amendments have been recommended by Nasscom and other groups to the Information Technology Act of 2000 to plug loopholes, of which there are several. To begin with, there is no clarity on jurisdiction—whether it will be determined by where the offending information was uploaded or downloaded.
The procedures too need urgent attention. Says Ashok Dohare, inspector-general of police, Madhya Pradesh, and an expert on cyber law: "The IT Act does not amend procedural law. Even for seizing digital evidence, we are required to make a physical seizure." It is easy to empathise with Dohare. Everyday, five per cent of India's police force is engaged in just carrying physical evidence from one place to another since the courts need to be convinced that it has not been tampered with. A few years ago, a stack of floppies had been pierced to put a string through them for safekeeping.
Even as laws evolve and safety measures increase, there will never be 100 per cent safety. Criminals will find newer ways. The key is to ensure that they are apprehended quickly and penalised. The US, which has just a shade less than 200 pending bills designed to curb outsourcing, including the SAFE-ID Act being pushed by Hillary Clinton to make sure that US companies do not send customer information to another country without permission, is generally quick to press the panic buttons.