• United States



Banks Won’t Face Charges Over India Data Theft

Jan 17, 20062 mins
CSO and CISOData and Information Security

The U.K. banks whose customer data was allegedly stolen from an Indian call center and sold to an undercover reporter last year will face no charges, a spokesman for the U.K. Information Commissioner’s Office said Monday.

The office, which helps enforce the U.K.’s 1998 Data Protection Act, has received no complaints about the alleged data theft since it was reported by The Sun newspaper last June, and has also not seen evidence that the incident took place, the spokesman said.

“We haven’t been able to get (evidence) from The Sun,” the spokesman said. “Without any further information, there’s really no case.”

The Commissioner’s Office concluded from its investigations that security policies at the Indian call centers were sufficient, the spokesman said.

According to The Sun story last year, the undercover reporter bought information relating to 1,000 bank accounts from a seller who said he had gathered the data from contacts at call centers in Delhi.

The data pertained to accounts held in British banks who had outsourced work to call center companies in and around Delhi, the tabloid newspaper said. The seller, identified by The Sun as Kkaran Bahree, told the reporter that he could provide 200,000 more account details per month, The Sun reported.

Police in Delhi have said they could not arrest Bahree because they received no formal complaint from the call-center companies, the banks or their customers. India’s National Association of Software and Service Companies (Nasscom) has also said it never received a complaint, and Bahree was never charged.

Bahree has claimed that he gave The Sun reporter a CD at the insistence of a friend without knowing that it held classified contents. One NASSCOM official has accused the Sun of conducting a “sting operation” in order to tarnish the reputation of India’s outsourcing industry.

The Sun has said it turned over information about the incident, including the names of the banks involved, to the City of London Police. However, the City of London Police has said it had no jurisdiction to bring prosecution in the U.K. and that it passed the information on to the Indian authorities.

The spokesman for the Information Commissioner said the case could be reopened if complaints or evidence relating to the data theft turn up.

By James Niccolai – IDG News Service (Paris Bureau)