We take the security and confidentiality of your information seriously.

Lessons will be / have been learned.

Robust investigation.

Changes will be made.

Patronising advise to customers.

Blaming the dodgy staffers despite the need for organisational controls under legislation.

Hard to see how you get 100% protection against people who are required to have access to the data as part of their job.

The very fact that they were able to pin it down to an individual firmly enough for the ICO to get a search warrant suggests pretty tight controls.

I'm more interested in to what extent the claims companies are targeted by the law.

Yep. I've done plenty of data security assessments in my time. You can generally throw technology and rules at most of the threats (assuming management take it seriously enough to give you the budget to implement your design)....but the "bent DBA" bad actor is always the toughest nut to crack. Prevention is more of a personnel/vetting thing than an information security issue...the best that technology can do for the authorised-person-accessing-data (mis)use case is logging.

Agreed, but with a slight modification and addition. A single perpetrator, acting alone, will be identified with the correct systems in place, as you've indicated. Multiple perpetrators of a well planned and executed conspiracy is the toughest nut.

JimC: "...suggests pretty tight controls." -- Agreed.

customer solutions specialist == Someone on a checkout. In this case a call centre operator.

I recently saw a van liveried-up as "Xxxxx Seafood Solutions". I tried to imagine what the problem might be to which seafood was the solution, but I only managed to come up with a scenario whereby I'd just taken unexpected delivery of a sealion left to me by a previously-unknown distant relative in their will.

Yes, definitely fishy..

:)

...aqueous seal pup puree?

[No seal pups were harmed in the forming of this joke!]

I don't trust anyone or any company who uses the word 'solutions' in this manner. Private Eye used to have a column dedicated to ridiculous uses of the word. Though it's fun to invent your own, such as "Posthumous subterranean interment solutions" (burials) or "horizontal storage solutions" (shelves).

I doubt this is being done for fun. Have the claims companies involved been investigated? I expect they have paid for this information and knew it was coming through an illegitimate channel. They should be fined too.

Although I agree, they would probably suddenly go Bankrupt.

And another company working in the same business, would be created around the corner of the same street in 3,2,1...

IANAL

A company having been breeched can be fined to penalise them for sub-par systems/controls. They are not being treated as complicit in the crime per se .

A company receiving stolen data is complicit in a crime. Even if the company goes bankrupt, the individuals could (bloody should!) be prosecuted. With the added weight of conspiracy which invariably increases the sentence. They (the individual) would be charged under "Section 170 (DPA) - Unlawful obtaining etc of personal data", as was Khan. Failure for an individual to pay a court issued fine (UK) is very often followed up with "Send him down!" - UK courts don't like being ignored.

Well, that's what the law permits. However, involving at least ICO -> Fuzz -> CPS -> Courts then seeing that through is another story - I ain't holding my breath.

1. every little helps, innit guv?

2. a victim surcharge of £170 for '272 individual incidents on phones he owned'

...

3. by the FUCKING way, when you pass on stolen goods to that fat friend of yours in a pawn shop, you just ONE party of the crime. Am I missing the other end of this thread? Case closed?

Admittedly it would just be a pork barrel roll. But how else can we create money from nothing ?

On a serious note, if you can be barred from working with children, why can't you be barred from working with data about children.

#justthinkin'

As noted by other posters, the claims companies aren't included in this story, so why not? Is this the limit to El Reg's journalism these days?

And what's with the $ translation. It's a UK story. If American readers want to have a precise figure I'm sure they can locate it themselves- an approximate guess is probably enough for the gist anyway.

Or just add the currency conversion in the article. The value of USD is generally known by more than just USians. Why it is so offensive to include a currency conversion?

Don't bother- it'll be the same figure in a few years...

I'm fairly sure this is the first article I've seen where a criminal has had their actual address published in full (**). Why on earth do that, especially as it's implied they no longer live there.

I have a friend who is currently undergoing a barrage of attack on his house as he decided to prosecute a dog owner whose pooch decided to take a bite out of my mate's todger. It turns out the dog owner is a nasty piece of work with friends in the local traveller community who are happy to lob bricks for a few quid. My mate was doxxed (intentionally?) by one of the people in the legal team, and as such his life is now a living hell. And his tackle still hurts.

Doxxing is not something that any professionsl publication should be doing, in my opinion.

(**) I've now realised this isn't the first article; The other one involved some clown at 10 Downing St.

I think it was probably in the court papers, but I agree.

Even if it was a legal disclosure, it's in my opinion TMI and doesn't add anything of value to the article (unless the author gets paid by number of words :) ).

....the ICO could turn up with a warrant and search your private house? Anyone?

I'm amazed the ICO took the slightest bit of interest. Not because of the seriousness of it, but because the ICO seem to me to be entirely uninterested in the kind of low level day to day data theft / exfiltration that goes on routinely across the land. Fair play to them. I shall up my opinion o them by a notch.

cynical mode on: one of those drivers called by one of those claim chasers happened to be somebody who knew somebody who knew somebody. In fact, the shorter the chain, the more likely the cause-and-effect link. It'd be fun (?) to find out if any of the top people at ICO have been involved in car accidents prior to their succesful investigation. But hey, who'd investigate the investigators?

Submit it's more likely that it was the only report they've received recently that actually pinned it down to an individual as opposed to "we think it was one of these 50 people. Probably."

But it doesn't matter how inept the ICO is, if they're presented with an open goal, as it appears the RAC did for them, then they're going to go for it because its a nice press release that makes them look good.

Car was parked in a car park, i was not in the car at the time when i came back the car was mangled. So I told the insurance company this yet I still get these muppets ring me to ask if i was injured. So either the lease company who i leased the car from tipped them off or the body shop or the insurer.