India's Business Process Outsourcing (BPO) industry received a serious jolt when a TV channel promised to telecast the issue of growing concern over vulnerability of data security in BPOs and call-centers in India.

The London daily, the Sunday Times, quoting an investigative report by Channel 4, said that the credit card data, along with passport and driving license numbers, are stolen from call centers in India and sold to the highest bidder.

Middlemen are offering bulk packages of tens of thousands of credit card numbers for sale. They even have access to taped telephone conversations in which British customers disclose sensitive security information to call center staff, The Sunday Times reported in a shocking expose.

The Sunday Times' report has made Kiran Karnik, president, National Association of Software and Service Companies (NASSCOM), the premier trade body and the chamber of commerce of the IT software and services industry, fumble for explanations as recently he had boasted that the country's BPO industry has the potential to process up to 30 percent of all US bank transactions by 2010, while it currently does around 8 percent.

According to industry sources, many BPOs, including Tata Consultancy Services, Wipro, Zenta and Office Tiger, carry out cash recovery for American Express, Chase Bank and Capital One Bank. They collect credit card and bill payments from US citizens.

Industry sources say India does banking transactions at a substantially lower price (about 40 percent lower than the US).

Channel 4 is understood to have spent over a year trying to locate security lapses in India's call centers.

The program titled 'The Data Theft Scandal' is a part of Channel 4's investigative series 'Dispatches' that will be telecast in the UK on October 5.

NASSCOM had been in correspondence with Channel 4/Dispatches in connection with the broadcast and had requested details of the allegations which Dispatches intends to make together with the evidence/support documentation that they have. Dispatches have refused to provide that information, NASSCOM said.

Whilst there are a lot of unanswered questions, we take any allegation of a breach in our security extremely seriously. It is vital that Dispatches co-operates immediately so that the perpetrators of any breach can be brought to justice and lessons can be learnt. NASSCOM will reach out to the Indian police to investigate the claims made in the program, Nasscom president Kiran Karnik said.

The association is also trying to get the information from Star News that has telecast footage related to the same case.

Last June, the HSBC employee in Bangalore was arrested after £ 230,000 was stolen from British customers' accounts.

However, this time, unlike the HSBC-like cases where BPO employees were in the firing line, the charges are against middlemen.

Presently, the only available information is that Channel 4 has on record a middleman named Sushant Chandak offering to sell a database with the credit card details of 200,000 people as commercial leads. At a meeting in Calcutta, he seems to have boasted of a network of agents in call centers across India.

In addition to credit card numbers, Chandak was also offering passport numbers, driving license numbers and personal banking details, the report alleged.

In a separate meeting, Chandak offered the details of 8,000 British mobile phone users. He even apparently had tapes of customers being called at home from a call center.

A second New Delhi-based middleman known as Ghufran is offering details of customers with Halifax, Nationwide, Woolwich, Bank of Scotland and NatWest for £ 5 each. The details are believed to have been obtained from purchases using cards, the report claims.

Ghufran claimed the information was obtained by technical support staff which visited call centers and used memory sticks to download recent sale transactions.

According to the newspaper, Chandak and Ghufran have denied selling information unlawfully. Chandak reportedly said the information he provided was not genuine while Ghufran said he was passed the data.

Meanwhile, the industry has also come down heavily on the so-called global sting operations targeting the Indian BPO industry. We are concerned about the veracity of such stories, especially sting operations. Uncovering crime in society is one thing and inducing crime by offering monetary inducements is another, said Karnik.

The issue of security breaches is not offshore-centric. A research conducted by Forrester in 2005 said there were more security breaches in the UK and the US than in India, Karnik said.

Moreover, according to the findings of Financial Services Authority survey in April 2005 to review the risks involved in offshore outsourcing, Indian firms were aware of the general and firm-specific risks and were already undertaking appropriate actions to mitigate them, he said.

However, Karnik acknowledged that even though India is much safer than most other countries including the US and UK with regard to information security, further tightening of IT/BPO security backed by a strong legal framework is necessary to further improve India's position as an outsourcing destination.

We are working closely with the government on key initiatives to create a 'secure' information security environment in the IT, ITes/BPO segments, Karnik said. As more transactions are done on the internet these days including booking tickets, shopping, and banking security has become a major concern all over the world. In India, which is comparatively safer, our target is to create a more secure environment and do away with the loopholes, imperative for the growth of the country.

Key initiatives undertaken by NASSCOM to make India free from Cyber crimes and data theft are the Self Regulatory Organization (SRO) which will be rolled out in the next 2-3 months, and the National Skills Registry (NSR) which was unveiled in January earlier this year, he said.

We will be rolling out the SRO, entailing a common standard to be followed by companies who are a part of it, that will broadly provide training, capacity building and also serve as a dispute resolution mechanism, in another 3-6 months, he said.

On further details on the companies who have evoked interest to enrol in the SRO, Karnik said, Discussions are on, and we are still in the early stages. It will be operational within 2-3 years. The initial funding of the SRO is complete, and once operational, it will establish, monitor and enforce privacy and data protection standards for India's IT/BPO industry. Some penalties will also be imposed on the faulting companies, he added.

According to sources close to the development, NASSCOM is keen to strengthen the overall ambience of the IT security scene in India and is working with the government and enforcement agencies to strengthen the legal framework, and do away with loopholes in the system.

NASSCOM will also open two more cyber labs in Pune and Bangalore this year for training police officers in Cyber crime investigation. More of such labs are being planned in Delhi, Hyderabad and Calcutta.

It already has two such labs in Mumbai and Thane and has trained about 1,800 police officers and expects to train 3,000 officers in the next 12 months, NASSCOM vice president, Sunil Mehta said.

The NSR, the first such registry in the global IT/BPO industry, was launched to ensure a verified database of human resources of the segment, and is a voluntary online registry of workers containing an employee's professional history, education and personal background.

Since its inception, it has already registered 25,000 employees and 24 companies accounting for 30 percent of the industry's total workforce.

Six leading companies, which belong to our board, have said they would have 100 percent of their employees on the NSR by the year 2007, Karnik said, adding, a significant proportion of industry would be on the NSR in the next 18-24 months.

Asked about whether India should have a separate set of laws pertaining to information security, Karnik said, I don't think we need separate laws, as a lot of enactments already exist in India.

In the US, which reported 148 cases of identity thefts in the last year - versus 10 cases reported in India - there are no separate laws to deal with a breach of IT security. The European Union is the only one that has a separate mandate for information security.

Besides, NASSCOM is also working with the government to evolve recommendations to amend the Indian IT Act 2000, to protect overseas customer data and tightening punishment for defaulters.

The Act, which is in the final stages of approval with the government, will be tabled in the winter session of Parliament.