Incident Response, TDR

Security perspectives on call center ID theft risks, Part 1

How big do your call center employees factor into identity theft risk assessment? Considering that often the weapon of choice may be a notepad and a pencil, this hard-to-track insider threat has become even more complicated by the recent decade's globalization for cost savings.

One enterprising Bank of America employee just got nabbed for attempting to trade in identity-rich information tediously gathered in an analog fashion:

Hagen allegedly logged account-holders' names, birth dates, addresses and account histories between September 2009 and April 2010. He was supposed to get a 25 percent stake of the profits, court filings state.

One of the customers had his information stolen after calling Hagen to have Netflix automatic payments suspended from his account, prosecutors say.

That customer's BofA account contained more than U.S. $444,000.

My perspective as an investigator – and also as someone who worked in the trenches of tech call centers – is that it is far too easy for an insider to gather this type of information. A simple pen and notepad, as Hagen allegedly used, or just a very sharp memory, can glean dozens of account specifics containing personally identifiable information (PII).

Insider threats by the numbers

The statistics regarding stolen data and insider influence across all industries just in America is startling enough:

Overall, 48 percent of all breaches in 2009 were attributed to users who abused their rights to access corporate information for malicious purposes.

In addition, 90 percent of insider threat cases resulted from deliberate malicious activity, while just six percent each were caused by unintentional activity or inappropriate conduct.

Fifty-one percent of insider threat cases involved regular employees or end-users, while 12 percent involved both accounting staff and system administrators. Upper management caused seven percent of insider incidents.

Has this threat become worse recently? Not according to the volumes of historical examples dating back to ancient Greece and Rome. Insider threats have been around as long as recorded human history.

Perspective: Ancient history of warfare

Warfare, briefly defined, constantly seeks the exploitation of an inner weakness. Simply put:

It is easiest to topple or destroy a structure from within.

One modern source, the 33 Strategies of War, lists insider threat. The Trojan Horse is often associated with malware, but its origins followed simple concepts found in ancient Greece.

Are risks increased by overseas call or data center operations?

Consider a public savagely beaten with identity thefts. In the past six years, we have lost roughly three sensitive records per man, woman and child in America with 900 million personal identifiable information records lost. What most experts claim is that since data breaches are not exactly considered positive public relations, this number should be considered a low estimate.

What we don't know and what could be considered to be closely guarded by most corporations, are the internal risk mitigations which the CISOs, CSOs and IT managers must deal with to prevent breaches, or whether to choose to report them once they've occurred.

The deterrent value of mandated breach reporting remains questionable since overseas call centers have jurisdictional issues, which often cloud investigations. The most important conflict may come when consumer protection conflicts with the corporation's best interests.

Perspective: Ivebeenmugged!

George Jenkins, data breach victim turned consumer protection advocate, completed a series on the identity theft risks of outsourcing call and data center operations overseas in 2008. His conclusions are based on several key elements, including U.S. legal obligations mandated for identity theft notification:

It is unclear about exactly which country laws govern the protection of consumer credit and financial data.

It is [also] unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country. There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with.

Consumers now know today that companies suffer data breaches.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe.

How will a CIO protect that sacred data to which they are entrusted? Further, how will they hold others who are offshore responsible to the same standard?

Technology alone can't be the only answer for this age-old "insider threat" based in humanity.

Part two will look at this with some potential solutions.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.