Former T-Mobile Employees Fined for Stealing Customer Data

Fines totally £73,000 against two former T-mobile employees raises some interested issues about data protection prosecutions. The two were fined for theft of customer data. This took the form stealing customer data, including contract renewal dates, which was then passed to a company set up by the former T-Mobile marketing manager. There was an attempt to launder the data, with the addition of other non-T-Mobile customers, which was then sold on to marketing companies. Over half a million of such records were sold. Many T-Mobile customers will have experienced calls, usually from abroad, claiming to be from the company and asking about their contract renewal.

The ICO (Information Commissioner’s Office) took the lead in the prosecution. An interesting aspect of this was that the fines were made under the Proceeds of Crime Act for confiscation costs, rather than a fine under the DPA (Data Protection Act). The culprits received sentences up to 18 months, which were suspended on the condition of the fines being paid. It would seem that the ICO and the courts are now taking the issue of data protection seriously. Prior to the end of May this year, the maximum fine for a breach of PECR was £5000, and it would seem a similar amount under the DPA. Since 25th May 2011, fines under PECR and DPA are now £500,000.

There is no connection between this case and the epidemic of accident claims texts; the stolen data was specific to T-Mobile whereas the claims texts appear to be across all of the UK operators. Although the T-Mobile case involved theft of information (DPA) and the accident claims messages are a breach of permissions (PECR) it is good to see that the courts are taking these kinds of breaches more seriously.

T-Mobile data sold by employee: what is the real problem?

Yesterday’s announcement that a T-mobile employee sold data, including phone numbers, names and addresses, raises some important issues for the sector.

The fact that it has been so widely reported shows that privacy is a major issue for people, especially when it comes to their mobile phones. Marketers need to understand the issue of privacy.

The response from the Information Commissioner’s Office (ICO) is interesting. The commissioner, Christopher Graham said:
“If public trust and confidence in the proper handling of personal information, whether by government or by others, is to be maintained effective sanctions are essential.” In saying that he was pushing for greater penalties, suggesting that the individual should be jailed.

Fair enough. But there are greater issues than simply the bad behaviour of one individual.
Firstly, where is the corporate responsibility? T-mobile state that the employee was sacked and that systems have been put in place to prevent it happening again. But why did it happen in the first place? And why should the blame go solely on one person? I believe that the operators have a responsibility to protect their data better. That isn’t just my view, you’ll also find that the Data Protection Act also agrees with me!

The fact is that data leakages have been commonplace from the mobile operators for years. I know of one contractor who was working short term for an operator. He could see all of the data and SMS content from the operator’s users. His girlfriend was on the particular network, so for a bit of fun he decided to see if he could see her text messages. He could. And it turned out she was having an affair with someone else!

On a further issue of corporate responsibility for data, who was buying it? Again, the telco’s or service providers who were intending to market to the T-Mobile customers should be carrying out the necessary due diligence to ensure the numbers were ligitimately obtained.

The second issue is that of the ICO, and their response. Christopher Graham was asking for tougher penalties. Looking at the $5m plus fines raised against spammers in Australia, I would agree, however, as I have already said, it should also apply at a corporate level, not simply ‘rogue’ individuals. However, in my experience the problem with the ICO is not simply the penalties, but actually enforcing the regulations in the first place. I blogged about tracking some spammers a few months ago. However, the net result is that it seems the ICO are not sufficiently resourced to trace them in the first place. When they are given information on spammers, they do not seem to be sufficiently resourced to make a prosecution.

So, perhaps the lessons to be learnt from this are:
The operators should do more to prevent data losses in the first place
The ICO should be given more resources to investigate and make prosecutions