CYFOR Blog

An employee who harvested customer details for financial gain has received an eight-month suspended prison sentence for unauthorised access to computer data.

As reported by The Register, an employee at the emergency roadside rescue company, the RAC, has received an eight-month suspended prison sentence for unsanctioned access to computer systems that saw her sell customers’ data to an accident claims management company.

Kim Doyle pleaded guilty to charges of conspiracy to secure unauthorised access to computer data and cashing in on RAC punters’ personal information that she passed to William Shaw, director of TMS (Stratosphere), trading as LIS Claims. Doyle was sentenced at Manchester Crown Court on Friday, 8 January. The court heard that Doyle generated lists of data on road traffic accidents, including partial names, mobile phone numbers and registration numbers, even though she was not given consent by the RAC to do so.

William Shaw also pleaded guilty to conspiracy to secure unauthorised access to computer data and saw his sentence suspended for two years following an investigation and case brought by UK data watchdog the Information Commissioner’s Office (ICO). The ICO said there is evidence that the information sold to LIS Claims was subsequently used to make nuisance calls, one of which reached a driver at fleet management company Arval. That driver had been in an accident and the RAC carried out the recovery of the vehicle, raising suspicions of a data leak at RAC. The RAC then ran a data leakage scan of its Outlook mailboxes and discovered a trail that led it to find Doyle’s unauthorised lists of customer data.

Mike Shaw, head of criminal investigations at the ICO, issued a canned statement, saying this is not a victimless crime as they have a “detrimental impact” on the public and businesses.

“People’s data is being accessed without consent and businesses are putting resources into tracking down criminals. Once the data is in the hands of claims management companies, people are subjected to unwanted calls which can in turn lead to fraudulent personal injury claims. This case shows that we can, and will take action, and that could lead to a prison sentence for those responsible. Where appropriate we will work with partner agencies to make full use of the Proceeds of Crime Act to ensure that criminals do not benefit financially from their criminal behaviour.”

Lewis Bloomberg, Head of Corporate Forensic Investigations at CYFOR commented;

“The unauthorised access of customer’s personal data is an alarmingly common occurrence across many industries. In this instance, there is a clear motive, which is financial gain. CYFOR regularly undertake investigations to evaluate and uncover employee data theft. Our investigations can identify specific files targeted and dates/times of access, to fully inform the affected customers and assure them that the incident has been dealt with comprehensively and taken extremely seriously. Our court-admissible reporting can also be highly effective in recovering costs, reducing reputational damage, and alerting clients and regulatory bodies.”