You’ve been framed: ID fraud threatens branding, bottom line and business ethics
The news this week that insurance giant Aviva had been defrauded by corrupt workers at an off-shore Indian call centre throws stark light onto not only the risks involved in outsourcing mission-critical data to third-party entities in foreign jurisdictions, but also the vulnerability of private identity data when abused by such organised criminals and the ramifications for victims’ lives.
According to recent reports, insurance giant Aviva, best known for its Norwich Union line of business, has suffered a major business process off-shoring fraud when an underworld criminal gang infiltrated EXL Services in the Indian city of Delhi and then routinely made false insurance claims with stolen IDs via UK-based accomplices posing as bona fide customers – but using genuine customer ID and personal data to dupe the claims handlers; all ID data was procured directly from the call centre data in India. The case is ongoing, with police still investigating the extent of the organised ID heist.
Whilst the financial cost to the company is one thing, theirbrand reputation has also been rocked severely by such heinous abuse of ID data. Such corrupt and criminal practices should, given due process and safeguards, not have occurred, with good governance, risk and compliance systems in place, internal controls and segregation of duties.
It might come as some surprise, therefore, that the reality of entrusting whole-set personal ID data to organisations is not best practice, not good for business and not good for brand reputation. The message must be starting to sink in across the private sector, especially in such challenging economic conditions.
However, this is not unfortunately not the case everywhere yet. The public sector’s recent ongoing cases of abject failure to safeguard and adhere to strict compliance procedures, with transparent audit trails and accountability, such as the HMRC data-gate debacle, the DVLA data loss and a raft of others, are effectively placing public sector processes outside the remit of most GRC target solutions, with scant regard for the consequential loss to innocent private customers and citizens, though this should be far from the case, given the sensitivity of the data and processes they purport to steward on our behalf.
There’s a strong content management element to all these cases; especially on the compliance side. Documents being produced need to be managed. Sensitive information needs to be pushed out to different parts of the organisation in a timely, but at the same time, considered methodology. You need to document your internal control, demonstrating that processes, segregation of duties and suchlike are effective, making these kind of incidents much more difficult to perpetrate. It’s all very well having an all-singing, all-dancing digital asset repository at your fingertips, the problem is, whose fingertips?
This latest global ID data theft is another wake-up call for everyone. It has to stop. Once the ‘Pandora’s Box’ is opened, it’s impossible to slam the lid shut before inquantifiable damage is done. As they say in the retail trade, once it’s gone, it’s gone.
So what’s the answer? Prevention is always better than cure. There’s no point being wise after the event. The answer is not to sacrifice the sanctity of your personal ID details to armies of unaccountable third-party agencies without vastly improved management systems and processes – and most of all – personnel verification. If only a select few have access to your ‘whole-set’ ID data, then the propensity for corruption is diminished proportionately. The problem lies, as evidenced by the Aviva case, where untold hundreds even thousands of staff have unfettered access and duplication potential with those priceless records. That’s why multi-agency access rights fall down, because the finger of suspicion cannot point to any one person or organistional area with any level of accuracy. There are simply too many ‘Achilles Heels’.