Motor industry employee ordered to pay £25,500 for data theft
Published on Thursday, July 18, 2019 - 16:10 by Peter Galdies
Motor industry employee, Mustafa Kasim, has been ordered to pay a £25,500 confiscation order for accessing personal data without permission in a prosecution brought by the ICO. The case also saw him sentenced to six months in prison in November 2018.
Kasim had previously worked for accident repair firm Nationwide Accident Repair Services (NARS), and used his co-worker’s login details for a system called Audatex which estimates the cost of vehicle repairs.
He continued to exploit these login details to make cold calls even after he started a new job at a different car repair organisation, which used the same software system. The records contained customers’ names, phone numbers, vehicle and accident information.
This led to an investigation by the ICO and in November Kasim became the first person to be imprisoned following an ICO prosecution, under the Computer Misuse Act.
According to Mike Shaw, Group Manager Enforcement at the ICO, “Our investigations found that Mr Kasim had benefitted financially from his illegal activity. As a result of his activities, people whose data had been stolen received cold calls and his former employer faced huge remedial costs.”
Research has shown 25% of employees would sell confidential company data, even if it meant risking both their job and a criminal conviction.
In this case, there are several actions NARS could have taken to prevent the situation from occurring, which would have been significantly cheaper than not doing anything at all (especially considering the management time spent assisting the ICO with their investigation):
Only allow logins from white-listed IP addresses
Install perimeter security to flag logins from new IP addresses
Update leaver policies to include checks around which passwords are known, and if that is considered to be a risk, ensure the policy calls for passwords to be changed when an has individual left
Ensure staff are trained so they are aware of the data protection risks and consequences that will arise for themselves, their employer and the data subjects if access and personal data is misused
Use data tracking tools which monitor data usage from both employees and third-parties, enabling you to keep an eye on your data even when it leaves the building
Following the hearing in London the judge has determined Kasim benefited from thousands of pounds as a result of the offences. Whilst individuals can often view these situations as victimless crimes, the ICO is now making it clear that those who choose to pursue these illegal activities will face severe consequences.
Shaw commented: “Personal data obtained in this way can be a valuable commodity and selling it may seem like an easy way to make money but the penalties can be severe. The outcome of this case should serve as a deterrent to others.”
Kasim has three months to pay the confiscation order, plus £8,000 in costs, or could face a further 12 months in prison.