In news that has sent shockwaves through the contact center community, Australian energy company ActewAGL was recently at the center of one of the most high-profile employee misconduct cases the industry has seen.
In May this year, a customer phoned the ActewAGL contact center to query a $2,000 refund that appeared on her bill, but which she claimed she had never received. Upon further investigation, it became apparent that this customer was not the only one to be missing money. In fact, an employee, 29-year-old Jessica Kate Anderson, had been siphoning off customer credit for three months.
In charge of taking calls regarding all types of ActewAGl accounts, Ms. Anderson had the ability to issue bills, reverse bills and provide refunds – all of which gave her access to the personal information of every customer she had contact with, including ID, bank details, account details and transaction history.
Ms. Anderson then formulated a scheme whereby she would identify accounts of customers who made regular payments (and were therefore often in credit) before phoning her own call center and using the customer’s personal data to impersonate them, requesting that any credit was refunded into her own account. After just three months, she was estimated to have stolen $13,000 worth of customer money.
To us, however, it’s not the scale of the crime that is shocking, it’s that the employee ever had access to such sensitive data in the first place.
What Does Employee Misconduct Mean for Your Business?
Any data security breach, whether it’s external or internal, can be costly and devastating to an organization.
Firstly, there are the fines to take into account; businesses found to be at fault for a data breach face ICO fines of up to £500k (or €20m / 4% of annual global turnover following the implementation of the new GDPR next year). That’s not including any lawsuits, legal costs, insurance claims, increased banking fees, or share price drops that may follow. Overall, breaches are now estimated to cost organizations $3.8m (£2.9m) on average.
Even if your company can cope financially, which many cannot, the ensuing loss of reputation with customers can be catastrophic.
How Can You Prevent Employee Misconduct?
PCI DSS requirement 12.7 says that any employee who is going to have access to sensitive data ought to undergo strict background checks, such as employment history, criminal record, credit history and reference checks. However, these are only recommendations and such checks are not infallible – people can be unpredictable, after all.
The best way to avoid the risk of employee misconduct entirely, is to ensure that your employees never have access to your customers’ personal data in the first place. For example, our Agent Assist solution uses DTMF capture technology to mask key tones and prevent agents from ever seeing or hearing card details.
Employing PCI compliant secure payment technology like this allows your contact center agents to take payments safely and securely, without ever coming into contact with sensitive information or putting your business – or customers – at risk.
To find out more about our secure cloud payment solutions, please get in touch with our expert data security consultants today.