ICO investigating mobile firm over data leaks

Information Commissioner Christopher Graham wants jail terms for data thieves

The Information Commissioner's Office (ICO) has revealed that mobile phone customer records are routinely being sold on illegally.

The ICO has published the results of a large number of its investigated cases, including an incident involving a mobile phone company at which staff were allegedly selling customer and contract expiration details.

Christopher Graham, the Information Commissioner, said that "blaggers and others" who trade in personal information should be aware that the ICO will act decisively when it is aware that the law has been broken.

Government proposals to introduce custodial sentences for such criminals should take effect from 1 April next year.

"Many people will have wondered why and how they are being contacted by someone they do not know just before their existing phone contract is about to expire," said Graham.

"We are considering the evidence with a view to prosecuting those responsible, and I am keen to go much further and close down the entire unlawful industry in personal data.

"But we will only be able to do this if blaggers and others who trade in personal data face the threat of a prison sentence. The threat of jail, not fines, will prove a stronger deterrent."

The ICO has worked closely with data controllers at the mobile phone company involved, and warned that the breaches could affect hundreds of thousands of customers, suggesting that it is one of the larger providers.

The details had been sold to a number of third parties for cash, and the ICO has already searched some premises and is preparing a number of arrest warrants.

"More and more personal information is being collected and held by government, public authorities and businesses. In the future, as new systems are developed and there is more and more interconnection of these systems, the risks of unlawful obtaining and disclosure become even greater," said Graham.

"If public trust and confidence in the proper handling of personal information, whether by government or by others, is to be maintained, effective sanctions are essential. This will not only underline the serious nature of the offence, but will ensure that those convicted carry a meaningful criminal record."

Ross Dyer, a technical manager at security firm Websense, pointed out that the sale of information highlighted the very real threat posed by staff.

"With the current economic downturn bringing additional pressure, staff will be more prone to giving in to the temptation of compromising data assets for their own personal gain," he said.

Dyer added that businesses should put systems and procedures in place to help mitigate the risk of data leaving the enterprise.

Mark Tickle, managing director for Europe at security firm Webroot, said that he is not surprised to hear about yet another data leakage, warning that email is the most common way to get data out of an organisation.

"We urge organisations to do more to protect their data by gaining better control over employee access to and use of sensitive information," he said.

"Both public and private sector organisations need to start treating their customers' information as their own, and ensure that confidential information stays where it should stay - inside the organisation."