Media Centre
Fraud Updates
PCB News
Fraud Updates 2005
27 June
It has recently been reported that an Indian call centre worker sold the bank account details of 1,000 UK customers to an undercover journalist acting for the Sun newspaper for £3.00 each. The details included account holders' secret passwords, addresses, phone numbers and passport details.
The centre worker reportedly told the Sun he could sell up to 200,000 account details each month. The centre worker claimed to have obtained the information from a network of contacts working in a number of call centres throughout India. The information passed on could have been used to raid the accounts of victims or to clone credit cards.
Under section 13 of the Data Protection Act 1998, an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Act is entitled to compensation for that damage. British companies who out-source jobs to India may still be data controllers and may still be liable for any losses resulting from the fraudulent sale of the data transferred outside this jurisdiction. Companies should therefore consider the viability of civil action against call centres to recover any losses resulting from the fraudulent sale of data.
20 June
It has recently been reported that attacks carried out by hackers are becoming increasingly elaborate. They are often masterminded by organised crime networks and can be carried out in large volume. Ernst & Young warn that hacking tools have become much more sophisticated with viruses now being able to steal identities and documents.
The demand for "ethical" hacking teams has grown recently with companies increasingly hiring "white hat" ethical hackers to protect them against "black hat" computer criminals. However, it is strongly advisable for companies to enter into written contracts with these hacking teams when undertaking ethical hacking, otherwise they could fall foul of the Computer Misuse Act 1990.
Companies should also bear in mind that under the Data Protection Act 1998 they should take all reasonable technical and organisational measures against unauthorised access to personal data and as such companies should consider using ethical hackers. If companies do become the victim of crime, they should always consider using the civil proceedings as a method of recovering stolen assets.
8 June
It has recent been reported that Nominet, the domain registrar for all domain names ending in ".uk", has obtained a Freezing Order in the Australian courts to freeze the assets of two fraudsters. The fraudsters allegedly accessed Nominet's WHOIS database, which contains details of the owners of all ".uk" domain names, and "data-mined" the contact details of 50,000 domain name owners. The data was then allegedly used to send misleading invoices in the name of "the UK Internet Registry".
The fraud forced Nominet to temporarily suspend access to its WHOIS database. However, the fraudsters have now been prohibited from transferring assets to third parties or out of Australia until the court determines the extent of their liability for breaching Nominet's copyright in its WHOIS database.
The case is yet another demonstration of the effective use of the civil court by victims of fraud to protect their assets and recover their losses. The English courts have a variety of powers to trace fraudsters and thieves of confidential information. The Court may grant orders against third parties such as banks and ISPs to force them to provide information about the fraudsters. Once the fraudsters have been found, it is possible to freeze their worldwide assets.
| July 2005 | April 2005 |