How Agent Exposure to Customer Data is Putting Contact Centers at Risk

Even in today’s digital age – with self-service technologies, powered by artificial intelligence (AI) and automated chatbots—enterprise contact centers with live agents and customer service representatives (CSRs) continue to play a vital role in the customer experience. According to a study by Google, 61 percent of mobile users still call a company when they want to make a purchase. While live agents may be able to provide a more personalized and streamlined transaction process, they can also pose a serious threat to a contact center’s data security.

Recent examples that have been in the news include the contact center agent working for a U.K. bank, who was charged with defrauding a customer out of £25,000 (nearly $33,000). And, a Mumbai-based security firm allegedly obtained personal customer information from employees at off-shore contact centers and then sold it to third parties for up to $1,000 per data set. Most agents are good, honest people – but there should be no room for risk when it comes to protecting your customers’ sensitive data. Just one successful data breach, whether due to a rogue agent, a careless mistake, or criminal coercion and bribes will jeopardize your customers’ trust, the reputation of your brand and even your company’s future.

Survey Says: Agents Experiencing Breach Attempts

To find out firsthand what kind of fraudulent behavior is occurring in today’s contact centers, Semafone recently conducted an anonymous survey of more than 500 agents worldwide. First, we discovered that 72 percent of agents who collect payment card data, social security numbers (SSNs) and other personally identifiable information (PII) over the phone still require customers to read their information out loud. This exposes sensitive data to the agent on the line (who may have malicious intentions), as well as to call recording systems (which can be breached by hackers), and nearby listeners (who could easily overhear the information exchange and jot down credit card numbers or other PII).

Second, we found that 30 percent of agents who collect PII over the phone have access to that information when they aren’t on the line with the customer. With this over-access to customer data, agents can easily facilitate breach attempts from both those inside and outside the company – which we confirmed were occurring: 7 percent of agents who collect customers’ personally identifiable information (PII) over the phone said they had been approached by someone inside their organization to illicitly share or access this information. For instance, an employee upset with company management could bribe an agent into sharing personal data that he or she intends to use for an extravagant online shopping spree.

Similarly, 4 percent of agents in our survey said that someone outside their organization had asked them to share PII. These occurrences could include a fraudulent caller using social engineering tactics to manipulate the agent into sharing sensitive data. In addition, the survey showed that 9 percent of agents had witnessed someone else illicitly attempting to access PII.

While the above figures regarding insider and outsider breach attempts may seem relatively small, they quickly add up if extrapolated to the larger contact center agent population. Given that there are approximately 2.2 million contact center agents in the U.S., it is possible that nearly 150,000 agents have been asked to share sensitive customer and payment card data by others within their company; and more than 85,000 agents have been approached by an outsider to do the same. If just one of these breach attempts is successful, the results can be devastating for a company. In fact, the average cost of a data breach in 2016 was $3.62 million, which includes legal fees, reputation damage, customer reparations and more.

However, even more alarming is that 42 percent of agents who were approached to share customers’ sensitive data said they did nothing to mitigate the situation (neither contacting management nor law enforcement). Therefore, there is a good chance that contact centers are regularly experiencing breach attempts but are unaware of the situation, and thus are not taking appropriate measures to prevent future attacks.

Protect Your Data, Protect Your CSRs

Now that we’ve confirmed that contact center agents are experiencing and witnessing breach attempts, organizations must take a closer look at their current practices for protecting customer data and limiting agent exposure to sensitive information. While our survey showed that 26 percent of agents operate in a clean room, which prohibits all personal items to prevent employees from stealing customer data, this draconian approach has little merit. Yes, clean rooms deter agents from copying down or recording customer data, but they also have been proven to lower employee morale and lead to high staff turnover. Further, they do not prevent the capture of PII on call recordings or keep it from touching various computer applications and CRM systems, so data is still at risk of a breach.

In addition to the use of clean rooms, employee vetting and background checks only go so far. The same holds true for agent training – no matter how aware your agents are of potential threats (such as those using social engineering tactics to get their hands on sensitive data), or how much you encourage staff to report breach attempts and suspicious activity, the risk of a potentially brand-damaging data breach remains. The only way to mitigate risks from both insiders and outsiders, safeguard your company’s livelihood, and protect your agents and customers is to remove any unnecessary sensitive data from your business’ IT infrastructure.

To ensure PII never enters their contact centers in the first place, a growing number of organizations are using dual-tone multi-frequency (DTMF) masking technologies. With these technologies, customers can enter PII, such as payment card data, directly into their telephone keypad. DTMF sounds are replaced with flat tones, so the agent, call recordings and nearby listeners cannot decipher the numbers. Unlike interactive voice response (IVR) systems, DTMF solutions allow agents to remain in full voice communication with callers as the data is entered, ensuring a positive customer experience and journey. And, PII is sent directly to the appropriate third party for processing so it never touches the business’ IT infrastructure.

While the results of Semafone’s global survey were disconcerting, contact centers can learn from these findings and begin taking proactive measures to prevent agent exposure to sensitive customer data. The first and most vital step is to remove PII from your contact center environment. With this approach, you’ll not only protect your business by making it far less attractive to hackers and fraudsters (after all, they can’t hack data you don’t hold), but also protect both your agents and your customers.