Banks face prosecution over Indian call centre leak

UK banks have been warned they face prosecution for breaching the Data Protection Act after a call-centre worker in India sold bank account details of 1,000 UK customers to an undercover reporter.

The security leak was discovered following an investigation by a newspaper reporter from The Sun, who was able to buy bank account, credit card, passport and driver's licence details of UK bank customers for just £4.25 each.

The call centre worker in New Delhi also told the reporter he could supply confidential data from 200,000 accounts a month. The newspaper handed a dossier with all the details to the City of London police.

Detective Inspector Oliver Shaw of the economic crime unit at City of London police said in a statement: "Unfortunately we have no jurisdiction to prosecute in the UK so we have passed it through Interpol to the Indian authorities."

A spokesman for data protection watchdog the Information Commissioner's Office said the security leak is a matter of "great concern" and warned that UK-based companies that outsource their customer services to a call centre, whether in the UK or overseas, remain legally liable for any security failings.

"It seems likely that a criminal breach of the Data Protection Act 1998 has occurred. We will be contacting the City of London police, as well as taking the matter up with those UK companies whose customers' details have been provided to The Sun," he said.

But banking watchdog the Financial Services Authority (FSA) refused to say whether it would launch any investigation.

An FSA spokeswoman told CNET.co.uk's sister site silicon.com: "Our concerns are whether adequate security controls were in place, but a determined fraudster is always going to get through."

The latest breach could ignite a backlash against the Indian outsourcing industry. Earlier this year, the accounts of US Citibank customers suffered a theft of $350,000 because of a security breach at a call centre in India.

But Indian IT trade association Nasscom said these incidents are rare and can happen at call centres regardless of which country they are located in.

A Nasscom statement said: "Nasscom will work with the legal authorities in the UK and India to ensure that those responsible for any criminal breaches are promptly prosecuted and face the maximum penalty. The problem is not unique to any single nation -- it is one that affects us all -- and each of us has a responsibility to take on the criminals. India, with its strong legal system and its independent judiciary, is a country that takes this responsibility extremely seriously."