Is India’s Rise in BPO a Security Trojan Horse?

India is often called the “back office of the world” for its dominance in the business process outsourcing (BPO) sector. BPO is the practice of contracting non-core business functions, such as customer service, data entry, accounting, and IT, to a third-party provider, usually in a low-cost location. India has been the preferred destination for BPO services for many Western businesses, especially from the US and the UK, for its large pool of skilled, English-speaking, and cheap labor. According to the Tholons Services Globalization Index 2019, India ranks first in the world for BPO services, contributing 5.4% to its economy.

But while India’s BPO industry has brought many benefits to the country, such as employment, income, and innovation, it has also raised serious concerns about the security and privacy of the data that is being handled by Indian BPO workers. As the BPO industry deals with sensitive and confidential information of millions of customers, such as financial records, medical histories, and personal details, the data must be protected from unauthorized access, misuse, or theft. However, there have been numerous cases of data breaches, frauds, and scams involving Indian BPO workers, exposing the vulnerabilities of the industry and the risks for the clients.

Why do Western businesses outsource their BPO to India?

The main reason why Western businesses outsource their BPO to India is to save costs and increase efficiency. By outsourcing their non-core functions to India, they can focus on their core competencies and reduce their operational expenses. For example,

A US company can hire an Indian BPO worker for as low as $40 per day, which is much lower than the minimum wage of $40 per hour in the US. This way, the US company can save up to 80% of its labor costs, while the Indian BPO worker can earn a decent income compared to the average salary in India.

Another reason why Western businesses outsource their BPO to India is to access a large and talented workforce that can provide quality and timely services. India has a population of over 1.3 billion people, of which about 600 million are under the age of 25. India also has the second-largest English-speaking population in the world, after the US, with about 125 million people fluent in the language. Moreover, India has a strong educational system that produces millions of graduates every year, especially in the fields of engineering, science, and technology. These factors make India an attractive destination for BPO services, as it can offer a variety of skills and expertise to meet the diverse needs of the clients.

What is the reality of the BPO industry in India?

While the BPO industry in India may seem like a lucrative and glamorous career option for many young Indians, the reality is far from ideal. The BPO industry in India is plagued by many challenges and problems, such as low wages, long hours, high attrition, poor working conditions, health issues, and social stigma.

Many BPO workers face stress, burnout, sleep deprivation, and health problems due to irregular and night shifts, high-pressure and monotonous work, and exposure to abusive and angry customers. Many BPO workers also face discrimination and harassment from their colleagues, managers, and society, as they are perceived as low-skilled, immoral, or anti-national for working for foreign clients.

Staff, who handle customer data often lack seriousness and commitment to their job.

Freshers in particular, in BPOs do not value their companies or see them as long-term employers. They are mainly interested in earning pocket money to support their lifestyle or University tuition fees and they plan to leave the company as soon as possible. They do not consider BPO work as a career option, and they do not develop loyalty or psychological attachment to their companies.

However, the most serious issue facing the BPO industry in India is the lack of data security and privacy. Many BPO workers have access to sensitive and confidential data of millions of customers, but they are not adequately trained, monitored, or regulated to ensure the proper handling and protection of the data. Many BPO workers are also tempted or coerced to misuse or leak the data for personal gain or criminal purposes. There have been several instances of data breaches, frauds, and scams involving Indian BPO workers, such as:

1. In 2004, an Indian BPO worker sold the personal and financial details of 20,000 customers of a UK bank to an undercover reporter for £5 per record. [/Ibscdc]
2. In 2005, four Indian BPO workers were arrested for stealing $350,000 from the accounts of US Citibank customers by using their passwords and security codes. [/Rediff News]
3. In 2006, an Indian BPO worker was caught selling the medical records of 100,000 patients of a US hospital to a Canadian telemarketing company for $20,000. [/SCIAM]
4. In 2008, an Indian BPO worker hacked into the email account of a US presidential candidate and leaked his personal and campaign information to the media. [/Teachrader]
5. In 2010, an Indian BPO worker blackmailed a UK woman by threatening to post her nude photos online if she did not pay him £500. [/BBC]
6. In 2012, an Indian BPO worker stole the credit card details of 2.9 million customers of a US retail chain and sold them to a cybercrime syndicate for $1.5 million. [/Money Life]
7. In 2014, an Indian BPO worker impersonated a US tax official and duped a US citizen into paying $500 as a penalty for tax evasion. [/Wikipedia]
8. In 2016, an Indian BPO worker hacked into the database of a US insurance company and stole the personal and health information of 80 million customers. [/Wikipedia]
9. In 2018, an Indian BPO worker posed as a Microsoft technician and tricked a UK man into installing malware on his computer and paying £200 for a fake antivirus software. [/mid-day.com]
10. In 2019, a former BPO worker and member of the Gnosticplayers hacker group claimed to have stolen the data of 18 million users of Zomato, an Indian food delivery app and put it up for sale on the dark web. [/et edge insights]
11. In 2020, a data breach exposed the personal information of over 7 million users of BHIM, a government-backed payment app in India. [/Unity Communcation]
12. In 2021, a cyberattack on Air India compromised the data of 4.5 million passengers, including names, contact information, passport details, and credit card data. [/cso online]
13. In 2022, a data breach affected 190,000 applicants of the Common Admission Test (CAT), an entrance exam for management courses in India. The breach exposed the personal and academic data of the applicants, as well as their test scores and preferences. [/Money Control]
14. In 2023, a data breach impacted 179 million customers of Jio, a leading telecom operator in India. The breach leaked the names, phone numbers, email addresses, and locations of the customers, as well as their device and network information. [/IBM newsroom]

These are just some of the examples of the data security and privacy breaches that have occurred in the Indian BPO industry, which have caused huge losses and damages to the clients, as well as tarnished the reputation and trust of the industry. These incidents have also raised serious questions about the legal and ethical implications of outsourcing BPO services to India, and the need for stricter regulations and standards to ensure the safety and security of the data.

What can be done to improve data security and privacy in the Indian BPO industry?

The Institute of Liberal Arts has conducted thorough research on the data security and privacy issues in the Indian BPO industry and has come up with two feasible recommendations that can enhance the data protection and compliance in this sector:

• The clients should conduct thorough due diligence and background checks on the BPO providers and the BPO workers before outsourcing their BPO services to India. They should also establish clear and binding contracts and agreements with the BPO providers and the BPO workers, specifying the terms and conditions, the scope and nature of the work, the data security and privacy policies and procedures, the rights and responsibilities, and the penalties and remedies for any breach or violation.
• Hiring BPO services from other countries like the Philippines, Sri Lanka, Bangladesh, Kazakhstan, Turkey, Kenya and other small developing countries could be a game changer for the industry. First, it could reduce labor costs, as wages and benefits tend to be lower than in India. This could be a major advantage for companies looking to cut costs and increase profitability. Second, it could provide access to specialized expertise and experience in specific business functions and processes, such as data entry, data analysis, data management, and data security.

I blieve the above recomendations could improve the quality and efficiency of the data services and could create competition and pressure on the Indian BPO industry, which is dominant and has been accused of lax data security and privacy practices. By diversifying their BPO service providers and locations, the clients could reduce their dependency and risk on a single country or region, and demand higher standards and quality from their vendors.