Thousands of customer records stolen and sold on by former employee. Data theft defendant pleads guilty to unlawfully obtaining personal data.
A vehicle repair worker has received a six-month prison sentence for stealing customers’ personal data from his employer.
The former employee of Nationwide Accident Repair Services (NARS) pleaded guilty to stealing thousands of customer records. …then selling the data on to rogue claims firms.
Mustafa Kasim used colleagues’ log-ins to unlawfully access thousands of customer records, according to the Information Commissioner’s Office (ICO). He continued to access the data when he moved to a new employer which used the same software system, Audatex.
When NARS became aware, its clients were being targeted by nuisance calls, the company reported the matter to the ICO. An investigation indicated that customer’s personal data had been sold on to a third party. The stolen data contained records of customers’ names, phone numbers, and vehicle and accident information.
This is the first prosecution to be brought by the Information Commissioner’s Office under the Computer Misuse Act.
Copycat data theft crime
Earlier this year, a former colleague of Kasim’s was prosecuted for stealing customers’ personal data. Phillip Bagnall admitted stealing 2,724 customer records from his former employer. Adding to the charge of data theft, Bagnall then sold personal data of motorists to rogue telemarketers for approximately £1,000.
Bagnall, of Manchester, pleaded guilty to offences under section 55 of the Data Protection Act by unlawfully obtaining personal data. He was £500 and ordered to pay costs of £364 and £50 victim surcharge.
Data theft does not pay – Is Stealing Data A Crime?
The ICO normally prosecutes offences like this under the Data Protection Act, which cannot lead to prison. However, in this case the watchdog used the Computer Misuse Act, which gives courts greater latitude when it comes to sentencing. Commenting on the data theft, Mike Shaw, group manager of the ICO’s Criminal Investigations Team said “people who think it’s worth their while to obtain and disclose personal data without permission should think again.” He added:
Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour. …Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress. The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable.
Mr Shaw confirmed that both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again. Sources & credits: Information Commissioner’s Office, BBC News, Decision Marketing