The desire to outsource is driven by cost. IBM apparently feels the margins are too low for its contract to operate London’s congestion charge scheme. This contract requires access to the DVLA database, and IBM sought and received agreement to use Indian labor. The DVLA has stressed that only ‘access’ is being allowed from India; the data itself will remain stored within the UK. A spokesperson for the DVLA told CIO, “We are seeking appropriate assurances that it will not be possible for the data to be printed, copied or amended in any way when it is accessed from abroad.”
‘Assurances’ may not be enough. A simultaneous Sunday Times report (behind the paywall), later picked up by the Daily Mail, describes an undercover sting in India. “Two ‘consultants’, claiming to be IT workers at several call centres, met undercover reporters from The Sunday Times and boasted of having 45 different sets of personal information on nearly 500,000 Britons,” claims the report. “This is Barclays, this is Halifax, this is Lloyds TSB. We’ve been dealing so long we can tell the bank by just the card number,” the consultants told the undercover reporters.
Toby Stevens, writing in his Computer Weekly blog, says we shouldn’t be surprised. “All in all, once that data goes offshore, it's safe to assume that it's leaking, and that has always been the case... when offshore staff are handling that information on behalf of credit reference agencies, or have access to agencies' data services as part of their day-to-day jobs, then the legitimate data leaks into the black market.”
The problem is that local companies have little control over the behavior of remote staff. ‘Assurances’ thus need to be supported by technology. “While no organization is completely safeguarded against insider threats,” said Marc Lee, a director at access management company Courion, “a lot could be done to reduce the possibility of data misuse by insiders and mitigate access risk.” He advocates the use of access risk management systems to control to whom, when and from where access is granted. “Thus,” he says, “if an employee is accessing credit card records from his home PC at 2am at night, the system will be able to detect the suspicious activity and notify the security team of the potential risk.” Restrictions on data copying should also be in place, preventing data from being copied to external devices such as data sticks. “If such restrictions are consistently applied in accordance with pre-determined security policies, the risk of data misuse will be significantly reduced.”