The call on my mobile was from a strange, foreign number and it came one afternoon when I was in a discussion with some team members. It was the voice of a boy who could not have been more than eight. Speaking Hindi in an unfamiliar accent, he told me that I had won a lottery and to collect my prize I should call a certain phone number. At this stage, I put the call on speaker phone for some amusement. A colleague whispered that I should ask him where he was calling from.
Also Read Vasudevan’s earlier columns
“From Bombay,” he said. His diction was unpolished like that of a child who has never been to school.
“Are you calling from Pakistan?” I asked, upon the colleague’s prompting.
“No not from Pakistan, from Bombay,” he repeated. At that exact moment a muezzin’s call from a mosque wafted forth clearly, breaking the silence in the background. I hung up after assuring the boy I would call and immediately checked the ISD code. It belonged to Malakwal town, Mandi Bahauddin district, Punjab province, Pakistan.
Someone across the border knew my number and had got a clueless child to make a naive sales pitch in the hope that the scam will pay off. The idea was a bit disconcerting. I understand that several Airtel users received these calls and Bharti Airtel Ltd has issued a warning to all subscribers to avoid calls beginning with +92 (Pakistan’s ISD code). In fact, those who called back, are immediately sent an SMS advising caution.
Databases and their leakage
Last week, I received another call from an aggressive man representing Tata AIG, who almost bullied me into buying a policy and demanded my credit card details so that he could charge it once I signed the policy documents. I woke up from my telecaller-induced stupor to reflect on these bizarre calls I had been receiving. No one wants to talk to fraudsters or pushy insurance salesmen. So how come I did? Because the callers had procured my profile details without my knowledge.
Databases. Files with customer names, contact details and consumption history. Financial services, telecom, dish television, car servicing companies—in fact anyone who has anything to sell is clamouring for fresh databases. What is a “used database” for one company becomes “fresh” for another. An airline frequent flyer database is great for selling premium credit cards. A list of high networth bank customers is an excellent fodder for a real estate company launching a super luxury project.
Insider threat to customer data
Databases are available at a cost but there is an entire grey market network through which they are leaked out and traded across and within industries. In 2008, Cisco conducted a global study on data security and leakages in businesses. The findings showed “insider threat”—data loss resulting from employee behaviour—is far more extensive than the threat posed by external factors like hackers. These threats could be due to common negligence, such as failing to log off, sharing passwords or losing company hardware, such as laptops and pen drives containing customer data files. Some employees fail to return company devices when they leave the job. And then there is the disgruntled employee who takes revenge by selling off the company’s database to make up, perhaps, for the increment he was denied. The Cisco study shows that a shocking 11% confessed that they or their co-workers accessed unauthorized information and sold it for a profit.
We live in a digital age where everytime we agree to the terms and conditions on a website, we become part of a database. The innocuous feedback forms of airlines and restaurants are data collecting tools in disguise. Normally, as customers, we will not have a problem if that particular restaurant wishes us on our birthday or the airline sends a promotional mail, because we have consciously given the information to that entity. The problem arises when due to lack of security policies in that entity, the data is leaked or stolen and comes back to haunt us as a telesales call from another company.
They owe it to customers
Mitigating the threat of data loss from within is a huge challenge for organizations due to multiple points of leakage such as the Internet and various storage devices that enable easy movement of confidential information. (For example, a 64 GB removable device can allow entire hard drives to be copied into something the size of a chewing gum packet.) Yet businesses must remember that they owe this to their customers who in good faith reveal their life’s coordinates to them.
Nasscom set up the Data Security Council of India (DSCI) to help information technology (IT) and IT-enabled services industries to achieve a high level of data security. But DSCI mainly reassures foreign companies who outsource work to India, that it is safe to do business with us, because Indian IT companies care about data security. We now need the numerous local companies whom we engage with as customers, to assure us that they too care about data security and our names won’t end up in stolen databases.
Vandana Vasudevan writes stories of mass urban consumer experiences. She is a graduate from the Indian Institute of Management, Ahmedabad, and currently works with HT Media Ltd. Your comments are welcome at firstname.lastname@example.org