Orange to investigate security lapses at UK call centres

gallery

Mobile phone and broadband provider Orange is investigating claims that poor security practices at its call centres that could expose customers to the threat of identity theft.

An investigation by an undercover reporter for Channel 4 News found at one call centre in North Tyneside, employees with access to sensitive information, such as customer's bank details and dates of birth, were told to share passwords and usernames.

Gary Quinn, a former Orange employee, claimed that when a customer rang up a call centre to pay a bill with a credit card, that customer had no idea that the operator could be logged on "under completely false identification and therefore completely untraceable."

The employee however said that he was unaware of any fraudulent activity taking place at the call centre.

Orange responded to the accusations and said all frontline staff were given unique usernames to access sensitive databases.

"The security of customer information is paramount to Orange. It is Orange policy that no member of staff should log in using any username other than their own," the company said in a statement.

Orange said that last month, a temporary employee told his team leader that he was aware of some members of Orange frontline staff sharing their logins. It said it immediately issued a communication to frontline staff, "reinforcing our policy and then began to thoroughly investigate the claim."

Experts said the report showed businesses that it was important to segment sensitive data from general available content, in order to defend against the theft of intellectual property and identity information.

"Doing so protects both the owners of that data and the users who may be compromised in order to affect a theft," said Alex Raistrick, Northern Europe director at ConSentry Networks.

"There are a number of ways in which this data can be stolen, including a breach of the network perimeter from an external source, through the coercion of an honest member of staff, by stealing a computer belonging to the company and using it for access or theft by a rogue authorised member of the company," he said.

Raistrick added that to defend sensitive information, the most effective approach was to allow only appropriate and authorised users access to the data whilst creating a full usage log, giving a trail of activity if a breach of security is discovered.

"Understanding what machine is connecting to your network, who the user is and what access they require to do their job enables an organisation to segment data without impacting productivity," said Raistrick.

Email to a friend

Print this page