Two former employees of T-Mobile have been fined a total of £73,400 ($120,000) for stealing and selling sensitive data that alerted companies outside the network to the renewal dates for over 500,000 of the mobile network’s customers.
Former sales manager David Turley and employee Darren Hames eventually pleaded guilty to offences under Section 55 of the Data Protection Act (DPA), after a suspicious T-Mobile asked the Information Commissioner’s Office (ICO) and Kent Police to investigate the matter in 2009.
After a hearing at Chester Crown Court, Turley was fined £45,000 in “confiscation” costs to be paid within six months or face an 18-month prison sentence, while his accomplice Hames was asked to pay £29,200 or face 15 months in jail.
What the pair traded in was customer renewal data culled from the T-Mobile database, critical for any third party outfit wanting to make money by banking renewal fees gained from signing customers up to a different network.
The operation was sophisticated enough to use both intermediaries and data laundering – adding data picked up from other sources such as marketing opt-ins – as a way of attempting to disguise the data’s origins.
The investigation uncovered how Turley, who had by this point left T-Mobile to set up his own mobile data brokerage, would meet employee Hames in a public place and be given stolen records on a USB stick, paying the latter between £2,000 and £5,000 for the data.
T-Mobile estimates that the number of traded customer records was 556,355, many of whom would have been contacted by cold-calling sales agents as their contracts expired. An unknown number will have left T-Mobile as a result.
The fine is the largest yet handed down in the UK to employees found to have sold company data for personal gain and marks a new line in the sand for a crime believed to be much larger than has ever been reported. It is also the first time the ICO has issued a confiscation order to recover money gained from crime.
“Those who have regular access to thousands of customer details may think that attempts to use it for personal gain will go undetected. But this case shows that there is always an audit trail and my office will do everything in its power to uncover it,” said Information Commissioner, Christopher Graham.
Beyond the general theme of data theft, the case rips open the cut-throat and at times greedy economics that lie at the heart of mobile phone contracts. With profit margins high, competition for contract customers is intense with networks paying up to £250 for each person through the door, the ICO noted. The lure for criminals is strong.