Watchdog reveals illegal sale of phone users' data

The Information Commissioner's Office is preparing a prosecution file against a mobile operator's employees who allegedly sold on thousands of customers' details to a competitor.The Information Commissioner, Christopher Graham, said in a statement on Tuesday that his office was highlighting the case in order to argue for custodial sentences for those who sell on personal data without permission.

The Information Commissioner's Office is preparing a prosecution file against a mobile operator's employees who allegedly sold on thousands of customers' details to a competitor.

The Information Commissioner, Christopher Graham, said in a statement on Tuesday that his office was highlighting the case in order to argue for custodial sentences for those who sell on personal data without permission.

According to the statement, ICO investigators have been working with the unspecified mobile operator, who suggested that "employees allegedly sold details relating to customers' mobile phone contracts, including their contract expiry dates".

This information was allegedly sold to the company's competitors, whose agents then used the details to cold-call those customers whose contracts were about to expire, offering them alternative contracts.

"The ICO has investigated and it appears that the information has been sold on to several brokers and that substantial amounts of money have changed hands," the statement read. "The ICO has obtained several search warrants and attended a number of premises, and is now preparing a prosecution file."

Graham said he wanted to "close down the entire unlawful industry in personal data", but would only be able to do so if the perpetrators faced prison sentences rather than fines.

"The existing paltry fines for Section 55 offences are simply not enough to deter people from engaging in this lucrative criminal activity," Graham said. "The threat of jail, not fines, will prove a stronger deterrent."

Graham added that a custodial sentence would also give a perpetrator a criminal record and "open up the possibility of extradition in appropriate cases".

The government is currently consulting on a new £500,000 maximum fine for organisations that breach the Data Protection Act — the current maximum fine is just £5,000 — while upcoming European telecoms laws make it mandatory for organisations to report data breaches to the relevant regulators.

UPDATE: It's T-Mobile who got hold of the ICO. A statement reads:

T-Mobile takes the protection of customer information seriously. When it became apparent that contract renewal information was being passed on to third parties without our knowledge, we alerted the Information Commissioner's Office.

Working together, we identified the source of the breach which led to the ICO conducting an extensive investigation which we believe we will lead to a prosecution. While it is deeply regrettable that customer information has been misappropriated in this way, we have proactively supported the ICO to help stamp out what is a problem for the whole industry.

We had been asked before today to keep all information on this case strictly confidential so as to avoid prejudice to the investigation and prosecution. We were therefore surprised at the way in which these statements were made to the BBC today.

ZDNet UK tried to get a comment out of the ICO as to why it publicised the case, but they refused.