Tuppence a fact: the starting price for your stolen life

Scrolling down the screen, Singh added: “These [pieces of data] are ones that have been sold to somebody already. This is Barclays, this is Halifax, this is Lloyds TSB. We’ve been dealing so long we can tell the bank by just the card number.”

Singh is just one of an army of data traders selling swathes of personal information — ranging from credit card details and medical records to loans data and satellite TV information — that has been stolen from India’s enormous network of call centres.

Once in the hands of criminals and unscrupulous companies, the data can be used to defraud customers or to provide crucial leads for cold calls. The potential rewards dwarf the cost — as little as 2p per piece of information — that the data traders charge.

Posing as London businessmen after being tipped off about the activities of Singh and his business partner Vikas Solanki, our undercover reporters arranged to meet him at a hotel in Gurgaon, near New Delhi. The city is home to scores of call centres and many of the estimated 330,000 workers employed by the industry in India.

Keen to emphasise how current — or “fresh” — his stolen data was and the extent of the information he could source, Singh boasted: “If you say finance data, you will have personal data, debts he is holding, is he involved in any kind of bankruptcy, bank details, income details, is he working full-time, part-time, the position he’s working in and how he gets his salary . . .

“The credit card data I can provide you with now will be 72 hours old. They would just have got the credit card and not only credit cards, that would be debit card as well. The names and details of the customers, it will be a mixture of the banks, Barclays, HSBC, all these.

“It’s collected by the agents. It’s not the bank’s data. Barclays bank would never give me any data. It’s data that has been collected by the agents directly from the person that is holding these cards by survey and the sales they make; 72 hours means the card number would be 100% valid.”

Singh said details of a credit card issued within the past 24 hours would cost £2 and cards issued between three and six months ago were available for 30p apiece.

After loading up another spreadsheet featuring the details of hundreds of mortgage holders, Singh, who said he could filter his information by specific criteria if required, said: “With the mortgage data you will get the first name, last name, address, postcode, phone number, work number, property type, years at the property, mortgage interest rate, mortgage type . . . Mortgage data will cost you 25p and the general leads . . . will cost you 2p . . .

“Then we’ve got loan data, people who have applied for loans, people who are looking for loans, personal injury claims where people have claimed for road accidents or workplace accidents.”

The information available from Singh and Solanki also included the records of mobile phone company customers and hundreds of people who subscribe to Sky TV.

After accepting a payment of £100 in sterling, Singh, who said he had been selling such data for more than four years, agreed to provide a sample of information.

Two days later he emailed a total of 841 records, including information on 15 credit cards and data about six people earning £15,000 a month or more.

Among them was Efrain Vazquez, 69, from northwest London, who is now retired after a long career in the catering industry.

When informed of the data breach, he said: “It’s worrying that my details can be sold to you like this by people sitting in India.

“The only way anyone could have gained my details is through the internet which I have used over the years to book conferences.”

The name and personal details of Janice Jackson, a 60-year-old clerical officer from Manchester, appeared on an extensive list of Sky customers provided by Singh and Solanki.

“I am disgusted that this can happen. My personal details should not be sold to anybody and it’s about time the government took action to stop this kind of fraud,” she said.

“For months I have been plagued by cold callers offering me a variety of services such as loans and insurance policies. I always ask them how they got my details and they won’t give a straight answer.”

A spokeswoman for Sky said she did not believe the data had been obtained from the company or its agents because it did not collect some of the information, such as details on income.

The Indian authorities and British firms who take advantage of the low wages paid to call centre staff have sought to play down the threat of security breaches. When details of 1,000 British customers were sold to a newspaper by an IT worker last year, the Indian government — anxious to preserve the reputation of an industry worth an estimated £3.7 billion a year — described it as a “freak incident”.

A police source told The Sunday Times that despite the threat of a three-year prison sentence and a fine of 100,000 rupees (£1,261) for leaking and selling confidential data, prosecutions are difficult to mount. British companies are reluctant to report such breaches for fear of the potential adverse publicity.

“As far as we are concerned, officially the position is that there is no problem of people here selling stolen information belonging to UK residents simply because none of the banks or other large companies pursue complaints against criminals stealing the data,” said a senior officer in Gurgaon.

“We need to have a complaint filed by them before we can pursue the culprits. Unofficially, however, we know this business is out of control. The simple fact is the banks are worried that their customers will get scared and swap banks if they learn how easily and cheaply their confidential details are sold.”

Raghu Raman, a security adviser, warned: “Foreign clients need to understand that when they outsource to India to get cost benefits continuously, costs are being cut somewhere and many a time it is security . . . Frankly, information security in India is not in a good shape.”

Last month the scope for fraud from the use of personal data was highlighted when US officials revealed how Indian call centre staff had posed as “phantom debt” collectors to swindle millions of dollars out of more than 10,000 Americans.

The callers used personal data obtained from payday loan websites which extend small short-term loans at high interest rates to borrowers.

Officials think more than 20m calls may have been made over the past two years with collectors using aggressive and threatening language to demand payment for debts that did not exist. The total cost of this one fraud has been estimated at £3.2m.

That the data protection law appears to be failing is demonstrated by the way data traders brazenly advertise on website forums such as callcentersindia.com.

Among them are Deepak Rathod and a man called Sumeet who specialise in selling confidential information about loans as well as offering information from medical records.

“We can supply you as many loans leads as you want for the UK. We have them in the lakhs [hundreds of thousands],” said Sumeet, who claimed during a telephone conversation that he ran a call centre.

“We handle payday loans, unsecured loans, declined loans, all types. If you are interested we can also supply you PC tech[nical] support leads as well as medical records but our main databases are of loans. They start from around 20p a lead depending on which type of information you want.”

Sumeet, who described himself as the manager of a call centre in Pune, near Mumbai, asked for a deposit of 13,000 rupees (£164). Once the money was received he sent a list of 106 people who had recently applied for a loan, their address and contact details, the amount borrowed and the purpose of the loan.

One of them was Lee Scarborough, 46, a taxi driver from Sutton, south London, who took out a £15,000 loan which has since been paid off.

“I assume my information has now gone around the world,” he said when contacted by The Sunday Times. “There should be far more controls. The government should not allow companies to send information out of the country.”

Lesley Carroll, 48, a BT worker from Dundee, was also on the list provided by Sumeet. “I am absolutely disgusted that people are selling this personal information,” she said.

“I am just gobsmacked. I am ex-directory and I am always getting these [automated] phone calls and I could not understand why. It’s frightening that your personal information is now so easily available to people.”

This weekend Sumeet sent a further set of data on 500 Britons who had contacted an Indian call centre for support with their PCs and laptops.

As well as the customers’ names, addresses, contact numbers and bank, it included the internet protocol (IP) addresses for each machine and the passwords. The data would allow hackers to gain access remotely to the computers.

Jane Jacob from Barking, east London, whose name appears on the list, said: “I had a problem with my laptop and went online for help to sort it out. I contacted a reputable company. I can’t believe that my details have been sent round the world.”

Sumeet failed to respond to several requests for comment.

Claims that data traders can supply medical records will cause particular concern. In January, John Neilson, head of the government-backed NHS Shared Business Services, said more health service administration should be sent to Indian call centres to save money. Almost 700 workers there already carry out data entry and financial administration for the National Health Service.

Unions and patients’ groups warned the change could lead to job losses, a worse service and a threat to confidentiality.

Nigel Edwards, acting chief executive of the NHS Confederation, which represents health trusts, said: “It might save money for the NHS but it’s not clear it would save money for the taxpayer . . . there are concerns about confidentiality.”

Simon Entwisle, director of operations at the Information Commissioner’s Office, said the evidence compiled by The Sunday Times would be investigated. “Any company sending information overseas must comply with UK data protection laws,” he said.

Sandra Quinn, a spokeswoman for Financial Fraud Action UK, said banks were using additional security to protect against data breaches and more than 80% of online transactions required additional password information before they could be completed.

Call to act

The government was under pressure this weekend to improve the security of personal data held by call centres after the investigation by The Sunday Times.

Richard Bacon, the Tory MP for South Norfolk and a member of the public accounts committee, called on David Cameron to order a review of consumer protection rules.

In his letter, Bacon wrote: “The use of call centres . . . and the mainstream use of the internet by consumers for a wide range of purposes — from retail shopping to the purchase of financial services such as insurance and banking — leads inevitably to serious questions about whether the regulatory environment for the protection of British consumers remains adequate.

“I believe there will be a steadily increasing threat from the unauthorised use of sensitive personal data which belongs to British consumers.

“I would ask the government to undertake a review of the state of consumer protection in this area.”

Global demand for data

The personal information sold by data traders offers criminals and unscrupulous companies a host of lucrative opportunities.

John Lewis, who assessed the material obtained by The Sunday Times, said: “The trade in the details you have is widespread and is in huge demand around the world.”

Computer information: “This is worrying and has potential risks. Once you have an IP address you can get a footprint of the structure of an organisation. For an ordinary customer, there is a risk that hackers could launch a trojan attack to get your bank details and steal your passwords.”

Loan leads: “This is invaluable and could easily be used for identity theft. These details are sufficient to launch a variety of frauds by impersonation.”

Insurance data: “This provides scope for potential identity theft. Bank account details have been used to change addresses and compromise accounts.” Cedit card information: “Billions of pounds are stolen every year from credit card details obtained in this way. Besides making purchases in shops and online, there are internet sites that will essentially launder cards.”

Medical records: “This is a serious [personal] intrusion . . . and one that is valuable in marketing terms. Anyone wanting to sell insurance or medicines would know exactly who to target.”