Your agents hold the keys to your clients’ systems. You have no way to take them back.

Agents see passwords. They can share them. They can sell them. MyCena fixes it at the architecture and creates a new revenue line for BPOs.
Book a commercial briefing →
0
Annual agent turnover in typical BPO contact centres — each departure is a live credential window
0
Industry average to fully revoke a departing agent's access across all client systems
0
Active credentials for former employees at any given moment — at a 2,000-agent BPO with 35% turnover
0
Cyber insurance premium loading attributable to inadequate third-party access governance
The incidents

Three documented cases. All entered through a BPO or contact centre credential.

BPO breaches are frequently not reported as BPO breaches. They appear as “third-party vendor incidents” in enterprise breach disclosures. In every case, the entry point was an agent or support engineer credential that the enterprise client had no structural mechanism to control.

Sitel Group / Okta — 2022
366
LAPSUS$ compromised a support engineer at Sitel Group — a large BPO providing customer support services to enterprise clients — and used that credential to access Okta’s support case management system.
Because Sitel engineers routinely accessed multiple enterprise environments, one compromised credential affected 366 Okta enterprise clients. The entry was not a technical exploit. It was a support engineer credential in human hands.
Entry point — BPO support engineer credential, enterprise client cascade
Booking.com partner breach — 2021, recurring to 2026
532
Attackers compromised credentials of hotel partner contact centre agents who had access to Booking.com’s partner portal.
With those credentials they accessed real customer booking data and sent fraudulent payment requests to travellers. Action Fraud received 532 reports between June 2023 and September 2024 alone — £370,000 in customer losses. The Dutch DPA fined Booking.com €475,000 for the 2021 breach. The pattern has continued.
Entry point — contact centre agent credentials to partner portal
Financial services BPO — composite pattern
$4.1M
IBM’s Cost of a Data Breach 2024 identifies BPO and contact centre environments as among the highest-cost breach scenarios — because one compromised agent credential touches multiple client environments simultaneously.
The $4.1M average UK breach figure is the floor. BPO breaches that trigger SLA penalties across multiple client contracts simultaneously can exceed this by multiples.
Entry point — agent credential, multi-client environment exposure

In every case, the BPO was not the named victim — the enterprise client was. That is the structural problem. The breach enters through the BPO. The damage lands with the client. The contractual liability — SLA penalties, indemnity clauses, termination-for-cause provisions — flows back to the BPO. The BPO carries the commercial consequence of a risk it currently has no structural mechanism to prevent.

Risk landscape

Six credential risks specific to BPO operations

BPO credential risk is not primarily a security risk. It is a commercial risk. The consequences land in client contracts, SLA clauses, insurance renewals, and audit findings — not just breach disclosures.

01 — Commercial
Agent sells or shares credentials to client systems
A contact centre agent who decides to sell their credentials to a competitor, a fraud ring, or a data broker has complete access to every client system they were provisioned for. The dark web market for contact centre credentials to financial services, travel, and retail platforms is active. There is no technical barrier — only a policy barrier — between an agent and that decision today.
When this happens, the client’s contractual liability clause activates. The BPO is responsible. There is no defence that the agent did it without authorisation — the BPO created the credential and gave it to the agent.
02 — Operational
Former agent retains active access after departure
At 35–45% annual turnover, a 2,000-agent BPO processes 700–900 departures per year. The industry average of 3.2 days to complete full revocation across all client systems means approximately 74 former employee credentials are active at any given moment. Each one is a live exposure — purchasable on the dark web for a fraction of the damage it can cause.
Colonial Pipeline paid $4.4M because one inactive credential was never revoked. At BPO scale, with hundreds of departures per year, the actuarial exposure is material — and unpriced in most BPO contracts.
03 — Financial
SLA penalty clauses triggered across multiple contracts
A credential breach at a BPO does not affect one client. It typically affects every client whose systems that agent accessed — simultaneously. Most enterprise BPO contracts contain SLA penalty clauses that activate on any security incident affecting client data. At 10% of monthly contract value per incident across five contracts: a single breach event produces five simultaneous penalty activations.
A BPO with five contracts at £200,000/month and a 10% SLA penalty rate carries £100,000 in immediate penalty exposure from a single credential breach event. Most BPO finance directors have never calculated this number.
04 — Audit
Client audit finds shared credentials or unrevoked access
Enterprise clients — particularly those in financial services, healthcare, and retail — are conducting increasingly detailed access governance audits of their BPO suppliers. Shared credentials, unrevoked former-agent access, and inability to produce individual access logs are the three most common audit findings. The cost of the audit is manageable. The consequence of a finding — remediation requirement, contract review, or right-to-terminate activation — is not.
A qualified audit finding on shared credentials is a contract renewal conversation. A right-to-terminate activation following an audit failure is a client loss. The revenue at risk from one major client is worth more than the entire cost of credential control.
05 — Insurance
Premium loading for third-party access governance gap
Cyber insurance underwriters are explicitly assessing third-party access governance as a rating factor. Aon and Marsh are advising their BPO clients that demonstrating structural credential control — not just policy — is a premium reduction lever. The current loading for a mid-size payment collection BPO: £200,000–£500,000 per year attributable specifically to the credential governance gap.
The loading exists whether or not the BPO has quantified it. MyCena costs a fraction of it. The insurance ROI argument is arithmetic, not judgement.
06 — Regulatory
GDPR, DORA, and FCA third-party access obligations
Under GDPR, the enterprise client is the data controller and the BPO is the data processor. The 72-hour breach notification obligation starts when the BPO discovers the breach — not when they tell the client. Under DORA, financial services clients must demonstrate governance of their BPO suppliers’ access controls. The BPO that cannot provide technical evidence of individual access attribution and instant revocation is a regulatory exposure for its financial services clients.
GDPR fines are levied on the data controller — the enterprise client. The BPO whose delay in detection or notification causes a regulatory breach for their client has a very difficult contract renewal conversation.
The 74-credential calculation
What your BPO is carrying right now — at a 2,000-agent operation with 35% annual turnover
Active credentials for former agents
74
At any given moment. Formula: (700 annual departures × 8 systems × 3.2 days) ÷ 365. Run it for your operation.
Annual SLA penalty exposure
£450K
5 contracts at £150K/month, 10% SLA penalty, 30% annual breach probability. IBM 2024 data.
Annual insurance loading
£200–500K
Attributable to credential governance gap. Quantified by Aon and Marsh as an explicit underwriting factor.
These figures are illustrative at typical BPO scale. The actual number for your operation depends on agent count, turnover rate, number of client contracts, and contract values. MyCena provides a bespoke calculation model on request.

“No employer asks an employee to manufacture their own office key. Yet every BPO asks its agents to create and manage the credentials that open its clients’ most sensitive systems — and then wonders why those credentials get sold.”

Third-Party Credential Assurance — new revenue line
When your agents no longer control your clients’ credentials
You can win and retain more clients, bill a Governed Access managed service, reduce cyber insurance premiums for you and your clients.
Full commercial model and clause available on request.
The operational change

What changes across the BPO operation

The credential problem manifests every day in service desk tickets, agent onboarding friction, audit preparation scrambles, and offboarding backlogs. MyCena eliminates the mechanism that creates all of it.

Without credential control — today
Agent joins. IT creates credentials or agent creates their own. From day one, the credential is in the agent’s possession — visible, copyable, shareable, and saleable.
Agent logs in from home, from a shared workstation, or on a personal device. There is no structural mechanism preventing them from photographing or copying the credentials they use for client system access.
Agent leaves. IT ticket raised. Manual process across 8–14 client systems. Average 3.2 days. Some systems missed. Former agent’s credentials remain active. 74 dormant exposures accumulate.
Client auditor asks for individual access log for a specific agent over a 90-day period. IT compiles from SIEM logs over 48–72 hours. Evidence is incomplete. Audit finding raised.
Client asks: “Can you demonstrate that your agents cannot share credentials to our systems?” The honest answer is no. The BPO can only assert a policy — not demonstrate a structural control.
With MyCena credential control
Agent joins. MyCena generates credentials centrally. The agent clicks to connect — they never see, hold, or know the credential. Nothing exists in their possession that can be sold or shared.
Agent works from any device. MyCena injects the credential at authentication. Photographing the screen shows nothing — the credential is never displayed. The structural mechanism for credential theft does not exist.
Agent leaves. One command. All access across every client system revoked in seconds. Timestamped log generated automatically. Zero dormant credentials. Zero exposure window.
Client auditor asks for individual access log. MyCena produces the complete attributed log on demand — every session, every system, every agent, timestamped to the second. Generated continuously. Not assembled before audit.
Client asks: “Can you demonstrate that your agents cannot share credentials?” The answer is yes — architecturally, not procedurally. The contract clause is inserted. The premium is billed. The relationship is differentiated.
What MyCena delivers

Structural credential control — and the commercial capability it creates

MyCena deploys in days with no infrastructure change. Agents experience one difference: they click to connect instead of typing a password. Everything else — the credential generation, the access logging, the revocation — happens automatically in the background.

Agents never hold credentials — structurally impossible to sell or share
The BPO generates every credential. Agents click to connect. There is nothing visible, copyable, or transmittable. Internal fraud via credential sale is structurally removed — not monitored, not trained away. Removed.
Offboarding in seconds — zero dormant credential exposure
When an agent leaves, one command revokes all access across every client system simultaneously. Timestamped log generated automatically. The 3.2-day average becomes 4 seconds. The 74 dormant credentials become zero. Permanently.
Individual access logs — continuous, attributed, on demand
Every access event logged by agent identity, client system, timestamp. The audit log is not assembled before inspection — it is generated continuously as a byproduct of normal operation. Client auditors receive it on demand. Audit findings on access governance cease.
Password resets eliminated — agent productivity recovered
Agents never hold passwords — there is nothing to expire, forget, or reset. The service desk reset ticket category for agent credential events drops to zero. At 11 minutes per agent per day of login friction across 1,000 agents: the equivalent of 45 full-time agent positions recovered annually.
“The banking client doesn’t ask whether your agents might share credentials. They ask whether it is structurally possible. If the answer is yes — if the agent holds the credential in any form — the BPO has a question it cannot answer with policy.”
The Sitel question

When LAPSUS$ compromised the Sitel support engineer in 2022, the credential was in human hands. It could be taken — and it was. 366 Okta enterprise clients were the consequence. The Sitel engineer would not have had a credential to surrender if Sitel had deployed MyCena. There would have been nothing to take. That is the structural difference between policy and architecture.

How it works

Deployed in days. Agents click to connect. Nothing else changes.

MyCena deploys as a software overlay above existing agent workstation environments. No client system is modified. No CRM is changed. No contact centre infrastructure is touched.

Step 01
BPO generates all agent credentials centrally
Every credential for every client system is generated by the BPO through MyCena. No agent creates their own access. No credential is shared via a team password manager or copied from a client PAM. Credential ownership is the BPO’s — not the agent’s — from the moment of creation. The BPO can now demonstrate this in writing.
Step 02
Agent clicks to connect — nothing visible, nothing held
Agents see a client system icon in their workspace. They click. MyCena injects the credential at authentication — it is never displayed on screen, never typed, never held in memory or clipboard. No monitoring software, no screen recording, no screenshot can capture it. The internal fraud mechanism is removed, not observed.
Step 03
Continuous access log — client evidence generated automatically
Every access event is logged — which agent, which client system, which session, timestamp to the second. The monthly compliance evidence pack is assembled automatically and formatted for client auditor submission. The ‘show me the log’ answer is available in seconds, not days. Audit preparation overhead drops to near zero.
Step 04
One command revocation — any agent, all systems, four seconds
Agent leaves: one command, all access revoked across every client system, timestamped log produced. SLA penalty clause: cannot activate because there is no credential breach mechanism. Audit finding on unrevoked access: impossible. The 74 dormant credentials: permanently zero. The commercial risk: structurally removed.
Client audit requirements

The questions your clients are about to ask

Enterprise clients across financial services, travel, and healthcare are tightening their BPO access governance requirements. These are the audit questions that MyCena enables the BPO to answer with evidence rather than policy.

FCA / DORA — third-party access
SYSC 8 and DORA Article 28 require financial services organisations to demonstrate governance of their BPO suppliers’ access controls — including instant revocation capability and individual access logs. The BPO’s client is the regulated entity. The BPO’s credential governance capability is the client’s regulatory evidence. MyCena provides it continuously.
✓ DORA Article 28 access governance evidence — continuous and on demand
PCI DSS v4.0
For BPOs handling payment card data on behalf of clients: PCI DSS requires unique user IDs for all individuals accessing cardholder data, immediate access revocation on personnel changes, and audit logs covering all access. Shared credentials and 3.2-day revocation lags fail all three simultaneously. MyCena satisfies all three architecturally.
✓ PCI DSS individual attribution, instant revocation — structural compliance
GDPR — data processor obligations
The BPO is the data processor. The enterprise client is the data controller. Under Article 28, the BPO must implement technical measures ensuring only authorised personnel access personal data. Policy is not a technical measure. Structural credential control — where access is architecturally governed — satisfies the Article 28 technical obligation that policy cannot.
✓ Article 28 technical measures — architectural, not procedural
ISO 27001:2022 — A.9 access control
A.9 requires access rights to be removed immediately on contract change or departure, individual user authentication (no shared credentials), and audit logs of access events. MyCena satisfies all three requirements architecturally. For BPOs supporting clients who hold ISO 27001 certification, this evidence is required — and MyCena generates it automatically.
✓ ISO 27001:2022 A.9 — individual access, instant revocation, continuous logs
OCC / FFIEC — banking supervision
US banking regulators require ongoing monitoring of third-party vendor access controls. BPOs serving US banks face examination risk if they cannot produce demonstrable, auditable evidence of access governance. The OCC’s third-party risk management guidance requires BPOs to demonstrate — not just assert — that access is controlled and revocable. MyCena is the demonstration.
✓ OCC third-party risk — demonstrable evidence, not asserted policy
Cyber insurance renewal
At every renewal, underwriters assess third-party access governance as a material rating factor. The credential governance gap generates an explicit loading — £200,000–£500,000 per year for a mid-size BPO. MyCena removes the gap. The evidence pack — timestamped revocation logs, quarterly access summaries — is the underwriting evidence that supports premium renegotiation.
✓ Underwriting evidence pack — removes the loading at renewal
BPO commercial briefing
A 45-minute briefing on the credential liability, the revenue line, and the deployment path — specific to your agent count, client mix, and contract structure.
Book a commercial briefing →
MyCena
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.