You have software such as Flexispy and the others.
To your direct concern about obtaining call records without consent and in such a way that nobody gets any suspicion, my answer would be the age-old indian proverb.
" YOU CAN CLOSE A VESSEL USING A LID, BUT YOU STOP THE CURIOSITY AND MOUTH OF THE WORLD "
So, Yes, exactly similar to a person stealing money from his own parents to fund his habit of gambling, companies too have people who resort to crimes ranging from simple ones to complicated ones, without anybody getting any suspicion.
See, Finally, on the day of the actual war, what matters is your legal evidence.
That is why I advised you to send a letter to the MD and VP-Legal along with a communication to TRAI, highlighting your suspicions.
You can, if you have sufficient evidence, file a PIL ( Public Interest Litigation ), seeking to understand the steps taken by the companies to ensure
That is the technical word we use in the Technology Industry.
" FOOL-PROOF METHODS for security "
So, with such letters as evidence, if required in the future, you can always establish that you have brought to their notice a suspicious activity and it is up to them to prove to the court that they have ensured adequate security measures and despite that if information of a private nature, has flown out, the company needs to compensate you for the damages.