Hacking the Call Center

Every corporate IT department faces its share of security threats from the outside world. But contact centers face double the danger, since potential data thieves likely lurk in their own ranks as well.

After all, when you combine an employment revolving door with easy access to sensitive customer information, including social security numbers, credit card numbers and financial information, you have a potentially explosive situation. And contact centers are notorious for their low pay and high turnover rates.

Despite these risks, some experts say the contact-center industry has been slow to beef up its security standards. The push to reduce costs-per-call has reigned supreme, they argue, leaving little budget for IT enhancements.

A recent dramatic increase in identity theft might lead to major changes, however. California has become the first state to penalize companies whose sensitive customer data is compromised, and more legislation has been proposed at the state and national levels. This trend may culminate in new security standards — and higher costs — for both internal and contract contact centers.

California’s State of Security

The genesis of new standards for call center security may have been the activities of a still-unknown hacker in early 2002. The hacker found a way into a California state data center, which ran payroll software for government employees. For several weeks, hackers had access to the confidential information of about 265,000 state employees, including members of the state legislature.

The data center did not inform state employees about the security breach. When lawmakers finally heard about the incident, they were outraged, claiming all employees should have been put on alert so they could guard against identity theft.

As a result, the legislature passed a bill mandating that Californians be notified immediately upon discovery of a security breach if that breach could have revealed any confidential, personal information. The law, which went into effect in July, affects any company, not-for-profit organization or government agency that maintains information about any California resident.

A federal version of the law now has been introduced in the U.S. Senate.

Back-Burner Security

A few regulated industries, such as financial services and medicine, already have clamped down on call center security, largely because companies in these markets face stiff penalties if they do not adequately protect customer data.

However, in the vast majority of cases, call centers place little to no emphasis on creating a secure operating environment, according to Jerry Brady, chief technology officer and chief security officer at security consulting firm Guardent.

“Most call centers aren’t ready to answer questions about their security systems,” Brady told CRM Buyer. “Up until the last couple of years, their main concerns were cost per item and making sure the agents answered the phone in the right language and accent.

“I could probably pick up the phone and be hired to start work in almost any call center in America tomorrow,” he added. “And once I started work, I would hack into the call center’s system within a week or so. I don’t think it would be a difficult thing to do.”

Keeping Breaches on the QT

What is more, outsourced call centers that do experience security breaches rarely, if ever, alert their clients.

“If a situation like that occurred, I don’t believe that the average call center would know how to handle it,” Brady said. “This is not a regulated industry that is used to disclosure. Plus, I’ve never seen a call center that had a security officer, a security plan or any idea of what they would do if they were attacked.”

Companies that outsource their call center functions must start asking new questions when seeking out service providers, Brady added. Such questions might seek details on hiring policies, drug testing, background checks and IT infrastructure. A more secure IT infrastructure might feature passwords that change frequently, thin-client terminals that prevent agents from storing customer information, and spyware that logs agent activities.

“At the end of the day, it comes down to knowing that your supplier will treat your data similarly or the same as you would yourself,” he said.

Virtual Security Guards

As a commercial finance company, CitiCapital has long focused on providing security both inside and outside its contact center’s IT systems. Between federal regulations and customer demands, the company must make data privacy and integrity a top concern, William Brewer, senior business analyst at CitiCapital, told CRM Buyer.

“Our customers’ information is precious,” Brewer said. “And if someone hacks into our systems for whatever reason and gains access to our information, we have a lot of exposure.”

In the past, the industry standard dictated that all data associated with a specific customer would be sent outside the firewall to an auto-dialer. This information might include name, address, phone number and social security number, among other details. Unfortunately, automated dialers can be hacked fairly easily, Brewer said.

Software in the Middle

To eliminate this security threat, CitiCapital has completely redesigned its call center processes and IT infrastructure to limit the amount of customer information viewed by call center agents while also keeping all crucial data behind a secure firewall. The company invested in a new middleware solution called ContactQ, which was released last month by Positive Software Systems.

ContactQ culls the phone number from each customer’s record. By sending only the phone number to the dialer, crucial data is protected. ContactQ also limits data access within the call center, giving agents only the functionality and information they need to do their jobs.

“The biggest challenge in today’s call center world is how you distribute data across a global enterprise,” Edward Mandel, president and CEO of Positive Software Systems, told CRM Buyer. “When data flows from one call center to another, it must stay secure.”

Chatting in Safe Mode

However, even as companies have created new innovations in customer contact management, new threats have cropped up. Such is the case with live chats. If hacked, they can provide a wealth of information about customers and their accounts, said Tony Pante, senior vice president of marketing and product strategy at chat software provider LivePerson.

“A chat transaction is very similar to a phone call,” Pante told CRM Buyer. “The agent is in communication with a customer, and they exchange information like account number and credit card information. If someone gets access to all of a company’s chat transactions, then it is just as though they had access to the entire customer database.”

To prevent data hijacking, chat sessions should be encrypted, Pante said. What is more, to protect the company’s record of past chats, the entire database should be encrypted.

Trouble-ticket programs also deserve special attention, with a secured and encrypted database. And rather than sending customer-sensitive information via e-mail, customers should be sent a link to the company Web site, from which they can sign in to retrieve the data they need.

1 Comment

  • Ironic that there is another story on TrueActive Software in the eCommerce Times today – it’s the product my company purchased to stop internal security attacks. It monitors everything that happens on a PC, and is really the only effective solution against internal security attacks as described in this article. Highly recommended –

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

CRM Buyer Channels