A company director has been fined a mere £500 ($788) despite being found guilty of illegally accessing an Everything Everywhere customer database, in breach of the Data Protection Act.
Matthew Devlin, 25, from the West Yorkshire town of Halifax, emailed and called various mobile phone distributors pretending to be a member of Orange’s security team in an attempt to the get log-in credentials, with which he could access the database.
On one occasion he was successful and managed to access the records of over 1,000 customers, according to privacy watchdog the Information Commissioner’s Office (ICO).
Devlin’s plan was apparently to find out from said database when customers were due to upgrade their handsets, so that he could target them with services provided by his marketing and telecoms companies.
Remarkably, he was fined just £500 by Calderdale Magistrate’s Court for his breach of the Data Protection Act, plus £438.63 ($692) costs and a £50 ($79) “victim surcharge,” despite being found guilty of a criminal offence.
According to section 55 of the Data Protection Act, unlawfully obtaining or accessing personal data can result in a criminal conviction. However, the crime is currently punishable only by a fine of up to £5,000 ($7,887) in a Magistrate’s Court, or an unlimited amount in a Crown Court.
ICO Christopher Graham argued in a strongly worded statement that such fines are no deterrent for breaches of the DPA like this.
“Our personal details are worth serious money to rogue operators,” he added.
“If we don't want people to steal our personal details or buy and sell them as they like, then we need to show them how serious we are taking this. And that means the prospect of prison for the most serious cases.”
Senior politicians are in agreement. Deputy prime minister, Nick Clegg, argued earlier this month that “the penalties that exist at the moment are pathetic.”