ICO fines text spammers nearly £500,000

Last week the ICO reported that the directors of a company heavily engaged in spam texting (sending unsolicited commercial messages to people via their mobile / cellular phone) have been fined significant sums of money – this is the first action from the ICO using new powers granted in January 2012.

This was an investigation under the Privacy and Electronic Communications Regulations (PECR) into a company called Tetrus Telecoms, jointly owned by Christopher Niebel and Gary McNeish, who were sending out as many as 840,000 illegal text messages every day.

According to the ICO’s press release, the text messages were the injury and loan compensation messages that people have become accustomed to and the idea is that people who replied – either asking for more information or simply trying to stop the messages – verified the fact that their number was live and owned by a human. Tetrus Telecoms then sold these details on to other companies for around £5 per person. The ICO has claimed that this was netting them in the region of £7000 – £8000 per day.

The main lesson for people is clearly stated by the ICO: (emphasis ours)

Our message to the public is that if you don’t know who sent you a text message then do not respond, otherwise your details may be used to generate profits for these unscrupulous individuals. Together we can put an end to this unlawful industry that continues to plague our daily lives.

Responding in any way, even with the “stop” or “end” messages they claim will put a stop to the texts is a big mistake. It wont stop the messages (you will get more) and it makes your number a valuable commodity to the spammers.

Unfortunately no amount of fines from the ICO are going to put a stop to this sort of activity – even with the massive £440,000 worth of fines here, the company is likely to have made more than twice that from the sale of numbers. Until the ICO is able to push for custodial sentences for spammers (or at least much larger fines), the only way to stop this is for everyone to ignore the spam texts.

There is a secondary effect – the ICO is looking to begin investigating the companies which have bought these details.

It is important that any company that has bought data from Tetrus or Niebel or McNeish in the past, now carefully checks that the proper customer consents have been obtained and that they are acting within the law. We are working with the Ministry of Justice to consider whether further enforcement action should be taken against any of these associated companies, including the cancellation of their authorisation to operate.

The profits that Tetrus have made have come from companies who are themselves breaking the law and it seems likely that eventually the ICO will come knocking.

If you, or your company, has paid a third party to provide you with marketing details, contact information or even “leads” then you really need to make sure you have a robust, and audited, governance system in place.

It is your responsibility to ensure that the third party you have bought the data from is acting within the law and that you are not holding & processing unlawfully collected information.

So the points to consider are:

  • If you aren’t doing this, you have opened yourself up to the risk of significant monetary penalties and reputational damage.
  • If you don’t know if you are doing this or not, then you need to address your governance as a matter of urgency.

It is critically important that you carry out proper due diligence on all your providers – be it products, raw materials or marketing data. If you fail to do this, you will suffer the consequences eventually so make sure you have a large set of funds allocated to the remediation action.

If you want assistance in reviewing, building or improving your governance processes across all domains (security, supplier, supply chain etc.), then get in touch and we would be happy to discuss this further.

Don’t leave yourself open to unnecessary risks.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.