Outsourcing: Northrop Grumman claims contractor to blame for security breach.

Do you know what happens to your old hard disks? Northrop Grumman, the US defence contractor does. They have someone who comes and takes them away and deals with them.

Except that a group of Canadian students got one when they bought seven disks as a job lot in a street market. They paid just USD40 for the disk that contained details of contract negotiations between Northrop and the Pentagon.

Northrop says that they believe that the disk was stolen from their contractors.

Which brings us back the furore over "downstream" security in outsourcing.

Aside from competence, security and compliance remain major concerns for outsourcing.

And data security is at the heart of most of those problems.

The UK government has a nasty habit of losing data - but so do its contractors.

Just last week, T-Mobile admitted that data posted onto the internet by someone claiming to be a hacker was genuine and had been stolen. But T-Mobile says that the hackers have not, so far as they are aware, collected any data that compromises customers' personal data security. Yet that's a company that prides itself on data security - and the data had been kept in-house.

A report published by Citrix in February this year surveyed almost 1000 people who had left their jobs or been fired - and 59% of them admitted to stealing data when they left. Perhaps even more disturbing - for both sides - 67% of them admitted to using confidential data belonging to their employer to increase their chances of getting a better job.

It's in the area of financial services that the jitters really start. With many major banks outsourcing call centres to low-wage environments, the opportunity for call-centre workers to obtain confidential data and either use it or sell it is immense.

But one has to wonder if the threat is as great as the fear. For example, looking to dig out examples of outsourcing company workers who abused their position through up remarkably few cases. Perhaps the most interesting was the case of three former employees of a company in Pune, India. They gathered account information on customers of a US bank and defrauded four customers out of a total of USD300,000. What is interesting is that it's still being quoted as a leading case - but the three were arrested in 2005.

Another fear that is often quoted is that of low-paid workers being soft targets for wealthy foreign criminals who offer to buy data. And the fear is based in a truth: low paid workers in all manner of businesses are corrupted to steal data. It's not new: the epidemic of stolen telephone card charge numbers from hotels and carbon from credit card slips is testament to how entrenched this practice has become over three decades. And that's before we enter the realms of card-skimming and related practices - which are well established ways in which employees are corrupted.

The question that arises from the Northrop case, then, is how best to monitor outsourced services - and how to handle the fall out when it goes wrong.