Employees of T-Mobile have been accused of selling millions of customer records, and could be prosecuted by privacy watchdog the Information Commissioner's Office.
The data alleged to have been sold included customers' names, mobile numbers, contract details and the expiry dates of those contracts, an ICO spokesperson told ZDNet UK on Wednesday.
The ICO said the records had been sold through brokers to rival mobile firms, so those firms could cold-call T-Mobile customers when their contracts were due to expire, in order to offer them alternative contracts. The records were sold for substantial amounts of money, according to an ICO press statement on Tuesday.
The news that a mobile operator had been involved in a serious data breach was revealed on Tuesday in a submission by the ICO to a Ministry of Justice consultation. The consultation is asking whether custodial sentences for reckless data breaches would be appropriate.
An accompanying ICO press statement did not specify which mobile operator had been involved. However, it emerged through reports on Tuesday that T-Mobile had kicked off the ICO investigation when it approached the watchdog with concerns about its employees.
T-Mobile said in a statement on Wednesday that other parts of the mobile-phone industry had been involved in the misappropriation of customer data.
"While it is deeply regrettable that customer information has been misappropriated in this way, we have proactively supported the ICO to help stamp out what is a problem for the whole industry," said T-Mobile.
An ICO spokesperson on Wednesday declined to say which phone companies had allegedly bought the T-Mobile customer data, and declined to say if or when the case would go to court.
"It's too early in the investigation to say," said the spokesperson. The ICO is currently preparing a prosecution file.
The maximum fine available to the ICO for reckless data breaches is £5,000. The Ministry of Justice is currently consulting on whether the maximum fine should be raised to £500,000.