Categories: RegulationSecurity

ICO Launches Investigation Into T-Mobile Data Scandal

The Information Commissioner’s Office (ICO) has launched an investigation into the unlawful trade of personal information, following its discovery that staff at mobile phone company T-Mobile sold thousands of customers’ details to third-party brokers.

The news emerged after T-Mobile alerted the ICO that employees had allegedly sold details relating to customers’ mobile phone contracts, including their contract expiry dates. Competitors were then using the information to cold-call customers as they were reaching the end of their contracts to offer them alternative deals.

“Many people will have wondered why and how they are being contacted by someone they do not know just before their existing phone contract is about to expire,” said the information commissioner Christopher Graham. “We are considering the evidence with a view to prosecuting those responsible and I am keen to go much further and close down the entire unlawful industry in personal data.”

Graham was initially reluctant to name the operator involved, in case it prejudiced a prosecution, but yesterday evening a spokesman for T-Mobile confirmed that the company had “pro-actively” approached the the government’s privacy watchdog after making the discovery.

“T-Mobile takes the protection of customer information seriously,” said the spokesman. “When it became apparent that contract renewal information was being passed on to third parties without our knowledge, we alerted the Information Commissioner’s Office (ICO). Working together, we identified the source of the breach, which led to the ICO conducting an extensive investigation which we believe we will lead to a prosecution.”

According to the ICO, the information has been sold on to several brokers and substantial amounts of money have changed hands. Graham has described the data breach as the biggest of its kind.

The T-Mobile brand suffered more embarrassment earlier this year, when owners of T-Mobile Sidekick in the US were warned that they would “almost certainly” have lost their personal data following a server failure at Microsoft. However, sales of the smartphone resumed yesterday, following a six week period of data restoration which got at least some users’ data back.

In response to the latest scandal, Graham hopes to win support for the government’s proposal to introduce a custodial sentence for breaches of Section 55 of the Data Protection Act from 1 April 2010. Section 55 states that a person must not knowingly or recklessly, without the consent of the data controller, (a) obtain or disclose personal data or the information contained in personal data, or (b) procure the disclosure to another person of the information contained in personal data.

“More and more personal information is being collected and held by government, public authorities and businesses,” said Graham in a statement. “If public trust and confidence in the proper handling of personal information , whether by government or others, is to be maintained effective sanctions are essential … A custodial sentence will also have the added benefit of making the Section 55 offence a recordable one and open up the possibility of extradition in appropriate cases.”

The ICO is backing up its case for introducing jail sentences with a separate case, in which forged identity documents were used to gain access to 41 people’s credit files, as ell as several other cases which highlight the need for tougher sanctions to deter the trade in personal data.

Some concern has been expressed in the past that heavy penalties for misuse of data could be detrimental to investigative journalism. However, the ICO stresses that the defence available to journalists would be strengthened under the proposal.

Sophie Curtis

View Comments

  • Companies need to have a strong access management strategy in place to protect all critical applications and data - especially customer databases - and further need to ensure that the access strategy and corporate policies are being adhered to across the business.

    Insider data breaches like these rear their ugly heads far too often, and it's important for enterprises to ensure that they aren't simply trusting their employees to do the right thing, but also utilising automated preventative and detective controls to keep everyone honest.

  • This breach is a reminder that organizations should be proactively reviewing employees data privileges to ensure that they only have access to the information that is required to perform their duties. In addition, having database activity monitoring solutions in place will allow companies to monitor sensitive data and issue immediate alerts if inappropriate access occurs.

    Thom VanHorn, VP of Global Marketing, Application Security, Inc.

    http://blog.appsecinc.com

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 hours ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 hours ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 hours ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

1 day ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

1 day ago