Want CNET to notify you of price drops and the latest stories?

U.K. watchdog targets data breach

The Information Commissioner's Office says recent call-center security failure is a criminal breach of the U.K.'s Data Protection Act.

2 min read
U.K. banks have been warned they face prosecution for breaching the Data Protection Act after a call-center worker in India sold bank account details of 1,000 U.K. customers to an undercover reporter.

The security leak was discovered following an investigation by a newspaper reporter from The Sun, who was able to buy bank account, credit card, passport and driver's license details of U.K. bank customers for just 4.25 pounds (about $7.75) each.

The call center worker in New Delhi also told the reporter he could supply confidential data from 200,000 accounts a month. The newspaper handed a dossier with all the details to the City of London police.

Detective Inspector Oliver Shaw of the economic crime unit at City of London police said in a statement: "Unfortunately we have no jurisdiction to prosecute in the U.K. so we have passed it through Interpol to the Indian authorities."

A spokesman for the U.K.'s data protection watchdog, the Information Commissioner's Office, said the security leak is a matter of "great concern" and warned that U.K.-based companies that outsource their customer services to a call center, whether in the U.K. or overseas, remain legally liable for any security failings.

"It seems likely that a criminal breach of the Data Protection Act 1998 has occurred. We will be contacting the City of London police, as well as taking the matter up with those U.K. companies whose customers' details have been provided to The Sun," he said.

But banking watchdog the Financial Services Authority (FSA) refused to say whether it would launch any investigation.

An FSA spokeswoman told silicon.com: "Our concerns are whether adequate security controls were in place, but a determined fraudster is always going to get through."

The latest breach could ignite a backlash against the Indian outsourcing industry. Earlier this year, the accounts of U.S. Citibank customers suffered a theft of $350,000 because of a security breach at a call center in India.

But Indian IT trade association Nasscom said these incidents are rare and can happen at call centers regardless of which country they are located in.

A Nasscom statement said: "Nasscom will work with the legal authorities in the U.K. and India to ensure that those responsible for any criminal breaches are promptly prosecuted and face the maximum penalty. The problem is not unique to any single nation--it is one that affects us all--and each of us has a responsibility to take on the criminals. India, with its strong legal system and its independent judiciary, is a country that takes this responsibility extremely seriously."

Andy McCue of Silicon.com reported from London.