This week's Sunday Times (no link, it's behind the paywall) carries a double page 'exposé' of the trade in stolen personal data from Indian contact centres, data entry services, IT support helpdesks and hosting services. The article describes how undercover journalists were offered lists of personally identifiable information, including bank data, credit records, loan details, card issuance details, account data and other records, allegedly stolen from the likes of Barclays, Lloyds TSB and Sky TV. The black market traders were asking from 2p to £2 per record, depending upon the potential value (driven by content, context and timeliness) of the data provided.
The article quotes a number of horrified 'victims,' (none have actually suffered a material loss) who express their outrage that their details are available, and in some cases claim they know the only possible source for the data, citing conference bookings and IT helpdesks as sources. The authors interview the Information Commissioner's Office, obtaining a commitment that the ICO will investigate, and Richard Bacon MP calls for the government to cease sending personal information overseas (for example, the NHS sends forms to India for data entry purposes).
What the authors fail to do is to interview an acknowledged security expert. Had they done so, they would have realised that this story is hardly news, and it's hardly fair to specifically point the finger at India. The offshoring of data for economic purposes is fraught with risk: services are invariably outsourced to the cheapest bidder, which means that corners are going to be cut somewhere, and information security controls are bound to be squeezed; the cheapest bidder is likely to draw its workforce from an environment where incomes are very much lower than the UK, and that means that the threshold for a successful bribe is much, much lower (almost any security system can be circumvented if the sysadmins collude to accept bribes); firms that offshore their services are rarely in a position to monitor or enforce the arrangement (after all, the whole point was to get rid of the function) and if they do discover something amiss, they're hardly likely to publicise it or to report it to the police or ICO because what can they actually do about it, other than to close down essential business functions (although this does sometimes happen); and even if the police are called in, there is the horrendous cost for the client to liaise with the investigation and bring a conviction, when local officers are also subject to the 'cheap' bribes that the culprits accepted.
All in all, once that data goes offshore, it's safe to assume that it's leaking, and that has always been the case.
What the article seems to reveal is an ignorance - at least amongst the individuals quoted - of the insight that credit reference agencies and data mining companies have into our personal lives, all through legal and regulated means. The claim that data could only have been leaked by Sky TV or a particular bank is hogwash, since those companies consume risk data from credit reference agencies as part of their account provisioning processes, and provide it back again in a reciprocal arrangement to maintain the accuracy and completeness of those records. The difference between the legitimate and black markets for personally identifiable information is how that information is used, and when offshore staff are handling that information on behalf of credit reference agencies, or have access to agencies' data services as part of their day-to-day jobs, then the legitimate data leaks into the black market.
So no big deal there, and no real news story for the Sunday Times. But on the same day the Observer came up with something more interesting that adds a new context: that the government has allegedly reached a 'secret' agreement that access to 'particularly sensitive' personal data on on all 43m UK drivers can be offshored to India by IBM. I'd argue that in most cases the data is unlikely to be 'particularly sensitive' (although photocards can imply the holder's ethnicity, and in some cases records may relate to drivers' health conditions), what is more worrying is the potential for local staff to modify records in response to organised criminals' bribes. The driving license is, rightly or wrongly, one of the most widely trusted identity documents, and if we start to see widespread fraud entering the system (as opposed to the small-scale fraud that will inevitably already be in there) then trust in that document will be undermined. There is a strong likelihood that DVLA's data will be of importance for the cross-government identity assurance programme, so now is not the time to break confidence in that data source.
What's to be done? As Richard Bacon MP demands in the original Sunday Times piece, we need much tougher enforcement of Data Protection laws, but we should stop expecting that to come from overseas: the solution rests in our being able to impose severe penalties upon Data Controllers who are shown to have failed to control their offshored data in an adequate way, and even tougher penalties on companies that knowingly consume illegally-obtained data. That can only happen with reform of the regulatory bodies concerned to ensure that they are suitably resourced and empowered.
For enforcement to work, we need to be able to prove the source of both legitimate and leaked data, and that will require a mandatory change in the way that companies record personal data: specifically, it's time for mandatory metadata to be held, with associated digital signatures, to prove the source and legitimacy of a personal data asset. Only when companies are obliged to cryptographically prove the source of their data will we have any hope of meaningful enforcement.
Consumers will have to accept some hard facts as well: if they don't want their data to go offshore, they're going to have to pay for it to stay in the UK, because businesses will need to offset the increased cost of UK processing. Consumers also need to understand that most every aspect of their personal history is already out there in some shape or form. We can't delete it because we don't know where it all is, but we might possibly ensure that legitimate organisations can only use it in accordance with the law; and until there is a more effective regulatory regime in the UK, there's little point in trying to bring our bytes back home.