f FranklySpeaking: March 2012

Thursday, 22 March 2012

Data and Identity Theft: India Perspective (Part II)


Are Indian companies equipped to tackle data and identity theft from within the company as well as from external attacks? Read on...


"An employee is leaving and you’ve heard he is going to work for the competition or is setting up his own business to become the competition. You’ve worked for years to build up your business and can’t risk your competitors obtaining your valuable confidential information from this employee, " alerts Deloitte, one of the Big Four accounting firms, in an article posted on its web site titled "Theft of confidential Information."

The article has quoted a survey conducted by the Ponemon Institute -- a consultancy firm providing services to private and public sector organizations in consolidating their data protection and security practises -- that says "60% of exiting staff admitted to taking confidential company information with them when they left."

Such a revelation is likely to give employer companies the heebie-jeebies as there are multiple risks at stake in such cases. The Ernst & Young fraud survey -- Fraud & corporate governance: Changing paradigm in India -- found that companies were reluctant to take legal recourse against the exiting employee involved in the data theft owing to fear of collateral damage and the resultant loss of reputation of the company. Weak anti-fraud measures was the other reason, the report said, why companies were unwilling to step forward and press charges. The report did not say what were the weak measures, but summed up saying "Companies still rely on traditional anti-fraud measures."

Most of these companies -- 330 in IT services, 119 in ITES/BPO/KPO, 13 in telecom and 62 others -- are members of the Data Security Council of India (DSCI), a not-for-profit organization
that is responsible for promoting as well as developing data protection and security and privacy codes and standards. "While its immediate goal is to raise the level of security and privacy of IT and BPO service providers to assure their clients and other stakeholders that India is a secure destination for global sourcing, DSCI also promotes these best practises for domestic industry segments like Banking, Telecom and E- governance," is how the organization describes itself on its web site.

Although most of these companies seem to be equipped to tackle data and identity thefts by employees, little is known about their preparedness to stymie external attacks.

Two days ago, a report in the Times of India's web site appealed to individual and corporate internet users to beware of KhantastiC, a hacker belonging to the Pakistan Net Army.

"They attacked and defaced 31 government websites this year exposing the poor handling capacity of web servers by state government," the report said, referring to the attack reported from the state of Rajasthan.

The report did not say whether the crime involved data and identity theft, but warned that more than 70 % of government web sites were vulnerable to cyber attacks.

India's outsourcing industry is aiming at $225 billion in export and domestic revenues by 2020.
Currently, 80 % of its revenues come from US and European clients. However, the slowdown in these markets has prompted Indian companies to seek business from other emerging markets including China, Latin America, Russia and Africa.

Aiming for such voluminous business also means explosion of data its digital ecosystem will have to handle and PROTECT.

Part III of the series will delve into the data and identity theft experienced by companies in the United States and their government's preparedness.


Part IV will talk about how data and identity thieves are ensnaring personal information of children and how the governments -- in the United States and India - the oldest and the largest democracies in the world deal with it.


The author can be reached at francisadams2010@gmail.com and on +91 9916484564



Monday, 19 March 2012

Data and Identity Theft: Common, Growing Menace (Part I)


By Francis Adams

This is an attempt to dig into the nature and scope of data and identity theft. In the first of the four-part series, the writer delves on how the threat is affecting individuals and companies 

Inspite of unwavering vigilance and surveillance by both government and private watchdogs, backed by the use of advanced technology in stonewalling such incidence, data and identity theft in the United States and India -- the world's oldest and largest democracies -- are reported to be on the rise.

Ernst & Young, among the world's top four accounting firms, revealed in its ‘Fraud & Corporate Governance: Changing Paradigm in India’  report that data or information theft, along with IP infringement were among the top five frauds in the country. In the United States, a survey by California-based research company Javelin Strategy & Research, unraveled that about 11.6 million citizens were victims of identity theft in 2011, compared to 10.2 million the survey had revealed in the previous year.

Last week, the U.S. Immigration and Customs Enforcement homeland security agents and the Secret Service arrested 19 people operating in a transnational ring that involved data and identity theft of victims from Europe, the Middle East, Asia and the United States, prompting an official to dub it "Operation Open Market".

A Federal Bureau of Investigation report, on March 13, said six people pleaded guilty to charges of identity theft after they had attempted to defraud the United States by filing fake tax returns in the names of deceased taxpayers. The conspirators apparently sent the US Treasury checks obtained by fraudulent returns to co-conspirators in Ohio, who then sold and distributed them to businesses and banks.

Days after Ernst & Young released its fraud survey report has come Monday's news that two call centre staff in India were busted by undercover reporters from the United Kingdom while trying to sell critical personal information -- names, addresses, phone numbers and credit card details -- of millions of Britons for tuppence, or twopence or two Old British pence. The report claimed that the stolen data belonged to few of Britain's large financial companies and banks, such as NatWest and HSBC.

In its survey, Ernst & Young has revealed that besides the regular targets from the banking, non-banking financial companies, real estate and telecommunication sectors, an increasing number of data and identity theft cases have now emerged from companies in infrastructure, IT/ITes and consumer products.

"The motive of committing a fraud now has shifted from “need” to “greed” making the perpetrator perform fraud to support opulent lifestyle. A typical fraudster today is in his 30's, generally from the middle management of a company. He/she is ambitious and comfortable with technology, sitting at a remote location generally working in the procurement or sales departments of companies," said the report.

Javelin Strategy and Research, which uses a broad definition for identity theft, that is, "any time a transaction occurs using a victim’s name or account information without authorization", found that certain social media and mobile phone behaviors are also easy preys for identity thieves.

"Despite warnings that social networks are a great resource for fraudsters, consumers are still sharing a significant amount of personal information frequently used to authenticate a consumer’s identity. Surprisingly those with public profiles (those visible to everyone) were more likely to expose this personal information. Specifically, 68 percent of people with public social media profiles shared their birthday information (with 45 percent sharing month, date and year); 63 percent shared their high school name; 18 percent shared their phone number; and 12 percent shared their pet’s name—­all are prime examples of personal information a company would use to verify your identity. Smartphone owners experience greater incidence of fraud—The survey found seven percent of smartphone owners were victims of identity fraud," the report said.

Edward John Maher, a fugitive from England was last month arrested and indicted by the United States Attorney for the Western District of Missouri for using a Social Security card, not issued lawfully in his name, as an identification document for employment verification, last year. The indictment also claimed that Maher used the identification knowing full well that it belonged to another person. "This charge is related to Maher’s alleged use of a Missouri driver’s license in the name of his brother, Michael Maher, on Oct. 12, 2011," according to an FBI report.

While protecting personal information on social media and on mobile phone is primarily the individual owner's responsibility, safeguarding customers' personal information lies on the head of the respective company. In the United States, many states, led by California in 2002, have enacted laws that put the burden of tackling identity theft cases on businesses. The law in California requires that companies inform customers when their Personally Identifiable Information or PII -- as it is used in information security -- have been stolen or compromised. Today, about 45 states and U.S. territories have put such a law in place.

"More and more companies are taking cognizance of the changing regulatory scenario. We are seeing an increased focus on corporate governance. Also companies are increasingly now taking proactive measures against fraud, bribery and corruption," the Ernst & Young report has noted about the scenario in India.

The author can be reached at francisadams2010@gmail.com and on +91 9916484564