News of the illegal sale of the records of mobile phone customers of T-Mobile has been a leading item on many news programmes. While the original statement did not reveal the identity of the company concerned, subsequent developments made it clear that it was T-Mobile and this has since been confirmed by that company.
The statement from the ICO read as follows:
The Information Commissioner, Christopher Graham, is highlighting new evidence which shows that a deterrent custodial sentence is required to stop the trade in unlawful personal information. Christopher Graham is responding to the government’s proposal to introduce a custodial sentence for breaches of Section 55 of the Data Protection Act from 1 April 2010.
Investigators at the Information Commissioner’s Office (ICO) have been working with a mobile telephone company after the firm suggested employees allegedly sold details relating to customers’ mobile phone contracts, including their contract expiry dates. It is alleged that the information was being sold on to the service provider’s competitors whose agents were using the material to cold call customers prior to contract expiry dates to offer them an alternative contract. The service provider has alleged that many thousands of customer account details have been unlawfully obtained.
The ICO has investigated and it appears that the information has been sold on to several brokers and that substantial amounts of money have changed hands. The ICO has obtained several search warrants and attended a number of premises, and is now preparing a prosecution file.
Christopher Graham said: “Many people will have wondered why and how they are being contacted by someone they do not know just before their existing phone contract is about to expire. We are considering the evidence with a view to prosecuting those responsible and I am keen to go much further and close down the entire unlawful industry in personal data. But, we will only be able to do this if blaggers and others who trade in personal data face the threat of a prison sentence. The existing paltry fines for Section 55 offences are simply not enough to deter people from engaging in this lucrative criminal activity. The threat of jail, not fines, will prove a stronger deterrent.
Christopher Graham continued: “More and more personal information is being collected and held by government, public authorities and businesses. In the future, as new systems are developed and there is more and more interconnection of these systems, the risks of unlawful obtaining and disclosure become even greater. If public trust and confidence in the proper handling of personal information, whether by government or by others, is to be maintained effective sanctions are essential. This will not only underline the serious nature of the offence but will ensure that those convicted carry a meaningful criminal record. A custodial sentence will also have the added benefit of making the section 55 offence a recordable one and open up the possibility of extradition in appropriate cases.”
In another case, blaggers used forged identity documents to gain unlawful access to 41 people’s credit files held by a credit reference agency. The ICO is continuing its investigation.
Under the law as it stands, there is a public interest defence for section 55 offences.
The Information Commissioner notes that the defence available to journalists would be strengthened under the proposal for a custodial sentence.
Further details about the ongoing and previous cases are contained in the ICO’s submission to the Ministry of Justice’s consultation on the introduction of custodial penalties for offences committed under Section 55 of the Data Protection Act.
Late on 17 November, T-Mobile released the following statements. The original version is the version appearing first below, with typos corrected. Subsequent additional clarificatory statements follow.
T-Mobile takes the protection of customer information seriously. When it became apparent that contract renewal information was being passed on to third parties without our knowledge, we alerted the Information Commissioner’s Office. Working together, we identified the source of the breach which led to the ICO conducting an extensive investigation which we believe will lead to a prosecution. Whilst it is deeply regrettable that customer information has been misappropriated in this way, we have proactively supported the ICO to help stamp out what is a problem for the whole industry.
We had been asked before today to keep all information on this case strictly confidential so as to avoid prejudice to the investigation and prosecution. We were therefore surprised at the way in which these statements were made to the BBC today.
As soon as we have any further information available it will be posted in this thread. Please do not call customer services if you have read this thread as they are unable to provide any information beyond the statement above. As soon as we have any more information it will be published here.
An hour later, this statement was released.
T-Mobile is able to confirm that NO financial data has been passed on to any third parties.
Shortly thereafter, this statement, which partly repeats the first, was released:
T-Mobile takes the protection of customer information seriously. When it became apparent that contract renewal information was being passed on to third parties without our knowledge, we alerted the Information Commissioner’s Office (ICO). It should be noted that the records were restricted to historical information on customers whose contracts were coming up for renewal in a 15-month period up to December 2008. The customer information that was compromised contained no personal financial or security-related information whatsoever.
We were proactive in engaging with the ICO to identify the source of the breach. The ICO is conducting an ongoing investigation which we believe will lead to a prosecution. While it is deeply regrettable that customer information has been misappropriated in this way, information passed on to third parties was restricted to the customer name, address and contractual renewal information. We continue to work with the IC to help stamp out what is a problem for the whole industry.
