ICO Prosecution Leads to First Jail Sentence

Written by

A car repair company employee has been sentenced to six months in jail for data theft, in the first case prosecuted by the UK’s privacy watchdog.

Mustafa Kasim used his colleagues’ log-ins to access thousands of customer records without permission, while working for Nationwide Accident Repair Services (NARS), according to the Information Commissioner’s Office (ICO).

He continued to do so after moving to another firm which used the same software system (Audatex), used to estimate the cost of vehicle repairs.

It’s not clear why Kasim accessed these details, which included customers’ names, phone numbers, vehicle and accident information. However, an investigation was begun after NARS noted an increase in customer complaints about nuisance calls — indicating their personal data had been sold on to a third party.

Although the ICO would normally prosecute such cases under the GDPR-based Data Protection Act 2018 or its antecedent, in this case it chose to do so under the Computer Misuse Act 1990.

Kasim pleaded guilty to a charge of “securing unauthorized access to personal data” between January 13 2016 and October 19 2016 at London’s Wood Green Crown Court.

“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behavior,” said Mike Shaw, group manager of the ICO’s Criminal Investigations Team.

“Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress. The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again.”

What’s hot on Infosecurity Magazine?