Location: NOIDA (New Delhi)
Victim: EXL Services a BPO / Aviva as client of EXL
Perpetrator: Edward Burns, Team Lead at EXL Services
Amount Swindled : GBP 50.5K (Rs. 41.5 lacs) but he got only Rs. 3 L (that's about GBP 5000) since 2007 which is no big deal in terms of income. I wonder why he has wasted his life for small change !
Burns was Team Lead at EXL handling Insurance claims. Along with associates based in UK he started the scam sometime in 2007 and seems to have done about 12 such transactions.
As Team Lead he had access to all insurance related data and using this knowledge he started to manipulate insurance claims. He identified 'dead' Insurance accounts and would process / file claims using these accounts but would change the bank information for payout and these bank coordinates would belong to his associates.
Three associates have been identified in the UK and their bank accounts were used as the drop accounts. These associates would travel to India and Mr Burns got his share.
Well Mr. Burns can forget his share of the booty, and will have to start working on manipulating his own figure to fit in whichever jail he is lodged.
My Comments / Observations :
While it is necessary for leads / managers etc to have access to information, it is also necessary to have checks on transactions carried out. This is the fundamental requirement in any transaction based process and that is why we have the concept of SOD. In this case it seems that Burns did not have any supervisor checking the transactions / claims filed by him, and if there was a check on this, there is a system error in allowing client data to be changed at this level.
The client data would have been provided by Aviva, as is submitted by their client. How can the BPO employee get to change this (bank account information) without authorization and that too when a monetary claim is being processed.
If the change was made only on the payment form then the person who does the final process of printing the check should be doing a cross check on the payee name and bank info.
The problem is that my reliability is only on the print and online media or TV to report these incidents. With time I shall try to connect with people in these organizations to get more first-hand information.
News Media Online:
Times of India :
BPO executive held for fraud
Hindusta Times, Delhi : One more fraud @ the call centre
Labels: BPO, call center fraud, data manipulation, india infosec incidents, NOIDA