Recently, it was disclosed in the Indian press that a large amount of data was stolen by an Indian BPO from a company in United States. It's amazing this story didn't get very much coverage in the West, despite the fact that the data was stolen from a company called Noble Ventures, which is based in Florida? As a slight disclaimer ComputerWorld (Norway) and CIO (Australia) did cover the story, but I was unable to find anything about it in the American press.
I suppose in this instance we will have to rely on the Indian media to provide some transparency to this event. Parth Shastri at TNN reports:
It could well be one of the biggest data thefts in the country. An Ahmedabad-based BPO owner, Maulik Dave, has been accused of data theft from a Florida-based company and selling them to its rival companies in the US.
Dave stole data worth Rs 1 crore (ten million) from the company. With the help of his accomplice based in the US, Milan Dabhi, he sold the data to competitors of the company in the US.
Apparently this occurred after Dave got his contract cancelled with Noble Ventures Inc., who "provides customer database of 1.25 crore (ten million) US citizens to various marketing companies in the US and also has a client-base in other international markets," according to the TNN article.
Of even greater concern to me was the deduction (my speculation) that Dave had insider access to their systems after his contract was cancelled? From the article, it is unclear if this was because the access was never removed, or if he got it from another Noble Ventures employee, Milan Dabhi, who is based in the U.S. and allegedly Dave's accomplice.
In another article published by the IT Examiner in India a person claiming to be a spokesman for Noble Ventures, Sunny Vaghela with credentials as a cyber crime expert, claimed that the information was stolen, but never sold. The rationale for this was that Noble Ventures reported the theft to Indian authorities and a sting (?) was conducted.
From the IT examiner article:
He further added claiming the theft report of 12.5 million Americans’ personal and professional records to be untrue as he assumed of some kind of miscommunication between the reporters and the Police.While I hope this is true, the logic in this is flawed (my opinion) because the information was stolen by someone, who had inside access prior to the discovery that the data was being compromised. How can it be determined that it was never sold to anyone else? Information is bought and sold in a lot of places, including underground Internet forums set up for illicit purposes. Additionally, no matter where it might have been sold, it is unlikely that anyone, who bought it illegally is going to stand up and be counted in this affair.
I went to the Noble Ventures site and they offer a lot of information for a price. Targeted data on executives, "heroes" (police and firemen), veterans and a slew of other marketing segments can be obtained. They even sell e-mail lists.
While I couldn't determine if this information was enough to open a line of credit, it could certainly be used to mount telemarketing scams, spam campaigns and even whaling (phishing) expeditions like the recent one we've seen targeting executives in the United States. Verisign just reported that 15,000 white collar types were speared in this expedition.
Please note that even though I am assuming no financial or SSN information was compromised -- if a dose of social engineering, phishing or malicious software is added to the equation -- getting the rest of the information to commit identity theft would probably be fairly easy.
Incidents, such as this, continue to point to the fact that there is too much information being stored in too many not very well protected places. In fact, this incident might point to the fact that the problem is getting worse.
We also need to remember that this information came from a U.S. company, and although I don't know where the server was physically located, it didn't have to be located in India for this to have occurred.
Information like this is protected by the FTC's Telemarketing Sales Rule.
Violations in the United States of this rule can be reported, here.
TNN story from India can be seen in full, here.
ComputerWorld, Norway story about this, here.
CIO Australia story, here.