RAC duo busted for stealing and selling crash victims' data
- Reference: 1728647116
- News link: https://www.theregister.co.uk/2024/10/11/rac_worker_convictions/
- Source link:
Debbie Okparavero, 61, of Salford, and Maliha Islam, 51, of Manchester, had worked as customer services specialists at RAC's call center in Stretford until their "unlawful conduct" was spotted by the company and subsequently reported to the Information Commissioner's Office (ICO).
The RAC had installed unspecified security monitoring software, which showed Okparavero accessing and copying "personal information relating to people involved in road traffic accidents." A search of Okparavero's mobile phone revealed the data was then shared with Islam in a WhatsApp chat.
[1]
Some 29,500 lines of personal information were exposed, according to the ICO, Britain's data regulator. The chat messages shared between the pair suggested an unknown third party was paying for that data.
[2]
[3]
The two were handed six-month prison sentences, suspended for 18 months, and ordered to undertake 150 hours of community service at a Minshull Street Crown Court hearing on October 8. Both Okparavero and Islam pleaded guilty to offences under the Computer Misuse Act 1990 and Data Protection Act 2018.
[4]Northern Ireland cops whose info was leaked in 2023 may get £240M+ damages
[5]The fingerpointing starts as cyber incident at London transport body continues
[6]UK health services call-handling vendor faces $7.7M fine over 2022 ransomware attack
[7]UK Electoral Commission slapped for basic cybersecurity fails
According to the ICO, prosecution costs will be considered at a Proceeds of Crime hearing scheduled for March 5, 2025. Andy Curry, head of ICO investigations, said in a statement: "Accessing people's personal information when there isn't a business need to do so is against the law. To then take steps to profit from other people's misfortune by selling that information is appalling. We will always take action to protect the public from this type of unlawful behavior."
The ICO praised the RAC for its "swift action in bringing this breach to our attention enabling us to ensure justice was served."
The Register asked the RAC for comment but it had nothing to add.
[8]
RAC employees have been involved in similar criminal activities before. In [9]2021 , an ex-staffer pleaded guilty to charges of unsanctioned access to computer systems and selling that data to an accident claims management company, while in [10]February last year , the ICO highlighted another former RAC worker involved in a copycat incident. ®
Get our [11]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZwlLpzfmiQq7f-id6OAJnwAAAQY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZwlLpzfmiQq7f-id6OAJnwAAAQY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZwlLpzfmiQq7f-id6OAJnwAAAQY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2024/09/25/psni_officers_affected_by_2023/
[5] https://www.theregister.com/2024/09/05/the_fingerpointing_starts_as_the/
[6] https://www.theregister.com/2024/08/07/ico_plans_to_fine_nhs/
[7] https://www.theregister.com/2024/07/31/uk_electoral_commission_ico/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZwlLpzfmiQq7f-id6OAJnwAAAQY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2023/02/03/roadside_recovery/
[10] https://www.theregister.com/2023/02/03/roadside_recovery/
[11] https://whitepapers.theregister.com/
Re: Wait a second...
Because the last government didn't do enough to address the prison system filling up, there is no spare capacity and the courts are under pressure not to impose custodial sentences if they think offenders aren't a public danger. A suspended sentence means little for most criminals as they always reason they won't get caught (or caught again), a few hours littler picking isn't going to spoil their life, so remains to be seen if the proceeds of crime hearing will result in any penalty that stings.
Regarding the third party, if there's an ongoing investigation (or the possibility) then they can't name names.
Re: Wait a second...
The duo are well and truly done for. Their careers as well paid keyboard monkeys are over. They might get jobs shepherding trolleys around a supermarket car park, or burger flipping, but that's about it.
The impact of their foolishness might not have hit them yet, but their future job experiences will be a constant reminder.
Well done RAC, it sounds like they pretty much did everything correctly (apart from maybe employ them in the first place).
RAC did everthing correctly?
To mind this is RACs fault because they have not patched the security hole this leak that used at least 3 times before.
Selling 'victims' data...
Cool.... Now do Facebook.... Because I sure as shiat don't have an account with them, Yet they DO gather, store and sell my personal information !
I don't know what is more shocking
That they got a slap on the wrist (you can be sure they were profiting from this) or that the ICO actually did something.
However, for those whose crash information was involved, depending on who the recipient was, this may well be rather far from justice being served.
The accident claims management company should have been in the dock with them
In this and the 2021 case It shouldn't be too hard to find out who the accident claims management company was! Even if they were paid in cash surely they just need to ask those people who's details were stolen who contacted them?
I know many people will just have put the phone down or ignored the email but a significant proportion must respond otherwise it wouldn't be worth the money.
150 Hours community Service
So how much did they make from this scheme to sell 30K lines of details?
Do they keep the money?
I doubt they were taking the risk for a £1 a contact, £5 might make the risk worth it, for 150 hours work afterwards.
Wait a second...
An unknown third party?
Surely any decision on suspending the custodial sentence should be based on the defendants co-operating in full with the investigation? Not handing over the purchasing scrote sounds like it should be grounds for NOT suspending the sentence...