The Times of India recently reported a case that will strike fear into the hearts and minds of information security specialists and C-level executives that support and promote the use of outsourcing for company processes and operations.
According to the report, the owner of an IT business process outsourcing (BPO) service provider has been accused of stealing information from Florida-based company Noble Ventures, and reselling it to their US-based rivals.
When Noble Ventures cancelled their contract for Web site creation and maintenance with Ahmedabad-based Business Bee Solutions, the company's owner closed his BPO shopfront and moved operations to his home.
It is not known when he sold the data belonging to Noble Ventures, but he used an American-based accomplice to sell the stolen information to Noble Ventures' US competitors.
Spurned by the loss of the contract, and with the unspecified data worth a quarter of a million Australian dollars, it is likely the BPO owner saw it as a way to regain some lost earnings from the deal.
While the nature of the stolen data was not identified, the operations engaged in by the company suggest it could be the personal and professional details of up to 12.5 million Americans.
Some might see the case as justified karma, given Noble Venture's operations in selling mailing lists, email lists, and other direct marketing operations facilitate the sending of junk mail and email to vast numbers of unknowing Americans.
The breach highlights the risks companies face when sensitive information leaves the corporate perimeter.
A solid information security risk assessment should consider the risks associated with a third party selling sensitive company information, and the associated costs of client retention and servicing provider replacement.