Revealing a case of data theft by a call centre employee in India, a UK-based media group has unearthed a racket allegedly involved in selling credit card details of British customers in New Delhi.
During a sting operation, BBC reporters posing as fraudsters from London bought UK names, addresses and valid credit card details from one Saurabh Sachar, based in New Delhi. The investigation was broadcast in BBC's news bulletin on Thursday.
The team went to India on a tip off after being put in touch with a man offering to sell stolen credit and debit card details. Two undercover reporters met the broker in a Delhi coffee shop for an encounter that was filmed secretly.
He said he could supply them with hundreds of credit and debit card details each week at a cost of $10 a card. After the reporters agreed to initially buy the details of 50 cards, the man handed over a list of 14.
Sachar said the remainder would be sent later by e-mail. He claimed some of the numbers had been obtained from call centres handling mobile phone sales or phone bill payments.
After the team returned to the UK, Sachar continued to supply card details to one of the reporters through email.
Nearly all of the names, addresses and post codes sold to the reporters were valid. But most of the numbers were invalid -- often out by a single digit, the BBC said.
However, about one in seven of the numbers purchased were active cards still in use by UK customers. Their owners could have been subjected to fraud if these cards had fallen into the hands of criminals.
The BBC team contacted the owners of these cards and warned them about the fraud. Three of the customers had bought a computer software package by giving their credit card details to a call centre over the phone. Within hours of the purchase, their details were sent on to the reporters.
The purchased software was made by Norton, a part of the Symantec corporation which launched an investigation after being informed of the the probe. Symantec said the leak had come from a single source which has now been removed.
"We are investigating how this incident happened and will take appropriate steps to find opportunities for improvement in our processes. We have engaged with the local law enforcement officials in India and will cooperate fully with that investigation. We are in the process of reviewing all possible options to manage this third party call centre, including moving away from it," it said in a statement.
Data protection lawyer Pavan Duggal told the BBC: "India is only paying lip service to data protection. We don't yet have a dedicated legislation on data protection. Until such times as India comes across with stringent provisions on data security we will have instances like this keep on happening."