Ex-T-Mobile Employees Fined £73,700 for data theft

The ICO has issued another set of fines for misuse of personal data and violations of the Data Protection Act. This instance, however, is clear cut criminal behavior rather than business misuse, or misunderstanding, of the act.

Also in this instance, it appears that the incident came to light after T-Mobile conducted an internal investigation and reported their findings to the ICO. This is always the best thing to do.

From the ICO’s press release:

Two former employees of UK mobile operator T-Mobile who illegally stole and sold select customer data from the company in 2008 have today been ordered to pay a total of £73,700 in fines and confiscation costs as part of a hearing at Chester Crown Court.

Fairly significant fines (yet even the total is less than the fine levied against Surrey County Council despite the apparent much greater severity of the crime here). It may have been that this fine was the result of a Proceeds of Crime Act recovery rather than a direct DPA-related fine, which may explain the difference in values.

From the ICO press release, it appears the two individuals were selling customer data (names, addresses, telephone numbers etc.) unlawfully to third parties. It is not clear if the recipients of this data were “legitimate” companies or criminal enterprises themselves, but one has to question the intent of companies purchasing data in this manner.

While it is never going to be possible to fully ensure that your employees do not mishandle customer data, it is essential that you have proper processes and controls in place to minimise the risk and identify any such behaviour in advance. By reporting this to the ICO, T-Mobile will have been able to discharge their responsibilities and, by having a robust security set up to detect such events, it is unlikely that they will suffer any sanction from the Commissioner.

If your business was in the same position, do  you think you would be able to detect your employee’s misbehaviour and be able to re-assure the ICO it was not a sign of systematic failings? If not, you need to address your security. Now.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.

This Post Has One Comment

  1. Garrards

    Thanks. You’ve certainly made me think about how important it is to have really robust security measures in place. Without these, a small company like mine would have no defence if anything similar happened.

Comments are closed.