A MOTOR industry employee has been jailed for six months in the first case of its kind after accessing the personal data of thousands of customers.
Mustafa Kasim, of Palmers Green, London, obtained their records without permission while working for Nationwide Accident Repair Services and gave the information to claims management firms.
He used colleagues’ login details to get into the software system Audatex that lets garages and customers estimate the price of vehicle repairs and servicing, and carried on doing it after starting a new job at a different, unnamed car repair organisation that used the same system. The records had customers’ names and phone numbers plus vehicle and accident information.
Nationwide Accident Repair Services contacted the ICO when it saw an increase in customer complaints about nuisance calls and helped the ICO with its investigation, which led to the first prosecution of its kind to be brought by the office.
The ICO usually prosecutes cases such as this under the Data Protection Act 1998 or 2018, depending on the circumstances, but prison isn’t a sentencing option. However, in certain instances it can prosecute under other legislation and did so for Kasim, using section one of the Computer Misuse Act 1990, to reflect the nature and extent of the offending and for the sentencing court to have a wider range of penalties.
At a hearing at Wood Green Crown Court in north London in September 2018, Kasim admitted a charge of securing unauthorised access to personal data between January 13 and October 19, 2016 and has now been sentenced at the same court.
Afterwards, Mike Shaw, head of criminal investigations at the ICO, said: ‘People who think it’s worth their while to obtain and disclose personal data without permission should think again.
‘Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature and extent of the criminal behaviour.
‘Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.
‘Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies, causing unnecessary anxiety and distress.
‘The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again.’
Confiscation proceedings under the Proceeds of Crime Act to recover any benefit obtained as a result of the offending have started and are ongoing.