India police arrest 18 in credit card fraud tied to TP data breach
HARYANA, INDIA — Delhi Police have arrested 18 individuals in a multi-state fraud operation that siphoned nearly ₹2.6 crore (US$297,839.36) from State Bank of India (SBI) credit card holders, according to a report by The Economic Times.
Insider breach at TP call center
The scam’s key enabler was an alleged data breach at a TP call center in Gurugram, which handled SBI’s Card Protection Plan (CPP) services.
“The modus operandi included data leak at the source in which insider moles in the authorised Card Protection Plan (CPP) call centre, Teleperformance, Gurugram, secretly siphoned off confidential SBI Credit Card data,” said Deputy Commissioner of Police Vinit Kumar in a police statement.
Insiders Vishesh Lahori and Durgesh Dhakad reportedly leaked confidential customer details—including card numbers and personal identifiers—to the fraudsters. Police say this breach allowed the syndicate to pose as bank executives and trick victims into sharing OTPs and CVVs, leading to unauthorized transactions.
TP (previously known as Teleperformance), a global call center giant managing sensitive financial data for major banks, now faces scrutiny over its security protocols.
Investigators highlighted the company’s failure to prevent internal leaks, raising concerns about third-party vendors handling critical banking information.
The stolen data was used to purchase e-gift cards from travel platforms, which were then resold or converted into cryptocurrency to obscure the money trail.
Fraudsters laundered money via travel platforms and crypto
The fraudsters employed a well-organized laundering system, converting stolen funds into untraceable assets. After buying high-value e-gift cards using compromised SBI card details, they sold them to travel agents for cash or exchanged them for Tether (USDT). This stablecoin bypasses traditional banking oversight.
The geographical dispersion of the operation, such as targeting victims across the country, excluding Delhi, suggests the use of deviant strategies. The masterminds, Ankit Rathi, Waseem, and Vishal Bhardwaj, set up the scheme, and the SIM card suppliers and the finance handlers facilitated the logistics.
As a testament to the scale of the operation, police seized 52 cell phones, numerous SIM cards, and banking materials, among other items, to appreciate the magnitude of the syndicate. The case raises concerns about the growing risk of cooperation between cybercrimes and crypto, suggesting that the regulation of fintechs must be strengthened.
Rising concerns over cybersecurity and fintech regulation
The arrests have brought increased attention to outsourcing companies, such as Teleperformance, which handle sensitive bank data but have minimal internal security.
“The investigation has also raised concerns about large-scale data leaks from Teleperformance, a Gurugram-based call centre handling critical banking information. The breach exposes the company’s inability to safeguard confidential data and raises urgent questions about its security protocols,” police said.
Such events are echoed by the global position of soaring fraud rates, with insider leaks and crypto laundering.
As the digital payment market in India has grown, regulatory bodies may escalate the requirement to tighten the cybersecurity requirements of outsourcing partners.
At least in the short term, the case is a bleak reminder of how vulnerable trusted intermediaries can turn into potential holes in financial security chains.
