Dial D for Data Theft

Watch out. This stranger knows all your confidential information: credit-card details, bank accounts, passport number, driving licence particulars and social security number

Akash Bisht Gurgaon

Twenty-four-year-old Sandeep Mohanty (name changed) is an executive with Keane Worldzen, a multinational Business Process Outsourcing (BPO), based in Gurgaon. He is required to

realise debt amounts from customers based in the US and the UK. In an eight-hour shift in one night he speaks to more than two hundred customers, and, if lucky, collects more than $10,000 for

his company.

Mohanty is well-versed in the debt collection rules and regulations of the US and the UK. He is familiar with the different Acts and provisions that could land an offender in jail. During interaction with his customers, he repeatedly enquires about their confidential information, like credit-card details, bank accounts, passport number, driving licence particulars, and social security number.

Except for his wallet, he is not allowed to take personal belongings to the work floor; he keeps them in lockers provided by the organisation. However, he still manages to sneak out confidential information, gathered during his conversations with foreign-based customers. “The security is tight but not up to the mark, and information can be leaked out easily. I have details of hundreds of credit cards stored in my email account and I can use them for petty shopping sometime in the future.  I can use them to surf paid websites and can even sell the list to someone in the US,” reveals Mohanty.

He considers purchasing anything online risky because he could get

caught due to his location. Hence he prefers to use the cards on the Internet for pornography and other online-payment sites. “I am not the only one doing this,” defends Mohanty.

In the recent past, India has witnessed scores of incidents of data theft and Intellectual Property Rights (IPR) violations, which have made foreign investors re-think their plans of investing in India. These incidents have made headlines all across the globe and especially in the UK and the US where there is already a strong backlash on the issue of outsourcing to India. Customers abroad seem to be dissatisfied with the adequacy of data protection and privacy laws in India. During his visit to the UK, Prime Minister Manmohan Singh had to reassure investors that India would take into cognisance their concerns about data theft and IPR laws.

Subsequently, the government has proactively responded to these concerns by proposing amendments to the IT Act of 2000, which will be tabled in the next session of the Parliament. Although the Act has been subjected to various amendments since its inception, loopholes remain and surface every now

and then.

Acme Tele Power Private Limited, a Manesar-based IT company, has decided to shift its $10 million R&D facility to Australia because of a recent incident of data theft that caused it a loss of Rs 750 crore. Kapil Kathpaliya, CEO, Acme, narrating the incident to Hardnews, said, “We developed a product called Power Interface Unit (PIU) and had it patented by the government of India. The patent was valued at Rs 750 crore by Ernst and Young. One of our employees, Sachidanand Patnaik, worked on the project and leaked the patented software of PIU to Lambda Eastern Telecom Limited.” According to him, Patnaik got a huge increase in his salary after he left Acme and joined Lambda, where he has been working for the past five months. “The product Lambda is selling—BTS Shelter—was made only after Patnaik shifted to Lambda. And this cannot be prepared in such a short period without proper R&D,” said Kathpaliya.

“The role of the police amazes me. When they went to Lambda to check if Patnaik had leaked information to his present employer, they took only Patnaik’s computer and didn’t check the rest,” said a frustrated Kathpaliya. He blamed the Gurgaon police for giving a clean chit to Lambda and its Managing Director Sunder Goyal and Director Gunjan Arora, who, he alleges, were the masterminds behind the data theft. The cyber crime wing of Gurgaon police had proof that the data had been transferred to Patnaik's email ID, but could not establish if it had been transferred to any other host. Patnaik was arrested and then let out on bail. Both Goyal and Arora were unreachable when Hardnews tried to contact them.

This was a perfect example of IPR violation and data theft, but due to lack of tighter provisions and stiffer penalties in the IT Act, the offenders were freed without much interrogation and investigation. The IT Act, 2000, is not complete and doesn’t even define the term ‘cyber crime’. In fact, the Act lists such thefts under Chapter XI, entitled ‘Offences’, in which various crimes are described as penal offences punishable with imprisonment or fine. “The IT Act still has lot of scope for amendments, to be at par with developed countries’ data security practices. There is weak enforcement of IPR in India. In this age of globalisation it is a business imperative to conform to the IPR regime. We are the IT superpower in the world, but our laws don’t reflect that. We are still in a nascent stage of creating laws, but these laws are not in tandem with rising economic growth. We need a devoted legislation on cyber crime that can complement the Indian Penal Code,” stressed Karnika Seth, cyber lawyer, practising at the Supreme Court.

There is also a need for IT-savvy lawyers and judges, as well as skill-

training for government agencies and professionals in computer forensics. There are few attorneys, judges and police officers well-versed with the IT Act.

“I don’t think the police know much about data theft and IPR violations. They don’t value IPR and are not trained to handle such cases,” complains Kathpaliya. Gurgaon, the IT hub of North India, has only two cops in its cyber cell. The police personnel need to be skilled in understanding and fighting this kind of crime, which involves data theft and IPR violation.

However, Kiran Karnik, NASSCOM president, says, “There is no room for complacency. In India, we are determined to keep all procedures under review in order to stay ahead of criminals. Security is and will remain our Number One priority.” He added that NASSCOM is providing training to police personnel and opening cyber labs across the country to handle cyber crimes, data theft and IPR violations. It has initiated a national registry of employees in the IT industry, conducts ‘Cyber Safety Weeks’ for consumer awareness, is establishing a self-regulatory organisation to ensure highest standards across the industry, while working closely with the government to evolve amendments to India’s already tight laws. NASSCOM wants to ensure a globally best cyber environment in India.

“Strict precedents have to be set. We must make sure that the data-theft criminal is taken to court and is penalised strictly so that potential thieves do not resort to data theft,” says Sam Chopra, President of the Call Centre Association of India.

Cynics still argue that it is a long haul before cyber crime can be effectively countered. Till then, all confidential information could become public property. So, watch out…