back to article T-Mobile coughs to data theft

T-Mobile has admitted it was the operator whose staff sold customer data to competitors, but can't understand why the Information Commissioner decided to share the information. Staff at the network operator had developed a sideline selling customer records to brokers who then called up the customers to offer alternative …


This topic is closed for new posts.
  1. Jimmy Floyd


    "'s clear that the ICO has manipulated this case into a cause celebre with impact far beyond its real importance."

    Maybe, but then we go back to those arseholes who were wont to phone up from <insert phone company here> Upgrade Service, conveniently separate from <phone company>. People who aren't entirely on the ball (which nearly included me) could easily be taken in by a weaker contract and poor quality phone, if they thought it came from the network.

    In my case, the fact that they were pretending to phone up from Orange when I left them years before was kind of a giveaway.

  2. djack

    What other data, and wose data?

    As I'm a long-time customer of T-Mo, I am quite concerned about this. I have to wonder whether this was purely limited to end of contract details as the people involved were dishonest scumbags who couldn't care a jot for the privacy of their employer's customers. I'm sure more complete personal and credit information would have netted them much more dough than just my phone number and contract end date.

    While I have no complaints at all of T-Mo's handling of this as they were following direction from the ICO, I hope that they are now planning on full disclosure to the people affected and notification to each customer as to whether their data was likely exposed or not.

  3. Graeme Hill

    Conspiracy theory alert.....

    Wonder if it was Orange paying for the info to pass to dealers/reps to get a better deal on the merger?

    Mines the flame retardant jacket with the official secrets folder in the pocket, and the bag with the stolen government laptop is mine as well.....

  4. Paul_Murphy

    I would argue..

    >impact far beyond its real importance

    That allowing this selling of customers details can't just be let go with a shrug of the shoulders.

    Any release of personal information can potentially be used by others to pretend they are you, or to contact you and show that they must be an authorised person (since how else could they know this info?) thereby increasing the chances of successful social engineering.

    What's the point of me shredding all the envelopes and pre-filled in forms that I get sent, only for my mobile phone provider (in this instance) from selling that same info on?

    It's not even as though they are giving me a discount on the phone or contract because of the additional income they will be getting from their unauthorised use of my data.


  5. Anonymous Coward
    Anonymous Coward

    Keep your details to yourself... the first place. I get pre-pay phones off ebay, or pay by paypal if from a dealer. No contract, no registration, no details handed over. Top up vouchers paid in cash. I do sometimes get calls from the previous owner's chums.

  6. Anonymous Coward
    Black Helicopters

    £2 a pop

    I've seen B2B leads for expiring mobile phone contracts trade for £2 a pop, consumers usually less so. You can bet that it's not just T-Mobile having their data ripped off, they perhaps should deserve some credit for dealing with one of the mobile phone industry's dirtiest little secrets.

  7. Digger 1

    Contract Breach?

    so, is this a breach of contract between myself and T-mobile and grounds for canceling a contract?

  8. Number6

    Cold callers and a cold night in Hell

    They can leave me off their list, my number is TPS registered and it would be a cold night in Hell before I would buy anything from a cold caller. I guess I could go along with them for long enough to get a company name for the TPS complaint before admitting that though.

  9. GettinSadda

    I'm on T-Mobile

    I'm on T-Mobile and I while back I had a real problem with a company calling up and claiming to be T-Mobile, but it was obvious that they were not.

    They said that my contract was up for renewal and so I could have a new phone (my contract was far from its renewal date).

    I simply asked them to prove they were T-Mobile by telling me the model of my phone. They told me they didn't have that information. I said that they supplied the phone to me so they must know. They said that they don't keep a record of what phone I buy. "So", I said, "why do I see details about my phone when I log into the T-Mobile website?". Their answer: "Do you want a new phone or what?"

    After about 10 calls in the same week from the same bunch I simply started yelling "F**k off!" and putting the phone down. They soon stopped.

  10. Dan 10


    1. Your sensationalist headline gives the impression that T-Mobile is itself responsible for the data being sold on, when the story states that the cause would appear to be a loose cannon within the company.

    2. The same headline also implies that T-Mobile are somehow being flippant with regard to customer privacy, when in fact their willingness to investigate and co-operate indicates the opposite.

    3. I disagree that this has become a cause celebre far beyond it's own importance. Ok, so the data isn't as intrusive as some other examples, but so what? Companies need to start taking this stuff seriously, and rightly so.

    Poor reporting indeed.

    Disclosure: I don't work for T-Mobile, am not a customer of theirs or have any links of any sort with the company.

  11. Chris 202

    Phone book?

    My details aren't in a phone book and I object to my information being sold. You may find it innocent enough but those same people would also have access to address and bank details.

  12. Dunstan Vavasour

    Publicity Officers

    The reason why cases like this get splashed everywhere is probably this: the press officers for such organisations are assessed/bonused on the amount of coverage, not its quality/meaningfulness.

    "Employer catches employees misusing data and takes proper steps to stop it" doesn't drive column inches. Whereas the meaningless term "Data Theft" will garner attention, which can be cited when the press officer is negotiating this quarter's bonus.

    Cynical? Moi?

  13. button_trooper

    Surely not...

    No remark about all the things t-mobile should have done to prevent the leak in the first place Bill? That's not like you :p

    I think you're right though, the ICO brought this out to further their cause politically. So are they not so keen on prosecuting the miscreants now? Or was that just a line to shut T-Mobile up so their politicking could have maximum effect?

  14. Anonymous John

    "denials out of all the other operators"

    Hmm. The last time my (not T-mobile) contract was about to expire, I got phone calls trying to poach me.

  15. Anonymous Coward
    Anonymous Coward

    Don't they all do it?

    Ok, i get that it's irrelevant WHAT details they steal, there needs to be an example made to discourage it in future, but let's remember that EVERYONE gets phone calls from third parties around contract renewal time, no matter what network they're on. I usually get a solid month of calls the month after i renew mine. So either the network itself is selling the details, or the staff are doing it.

    Also, here's a hint. When you say no to these companies they often just sell your details onto another company, it's standard practice, if you claim to be 15 years old they just scrub your details 90% of the time, it usually works pretty well for me!

  16. Dafydd Lawrence

    Not that trivial!

    "Customer details are in the phone book, and most people will tell you their contract renewal date if you call them up and ask (as cold callers are wont to do)."

    Jeez, this might not be a hanging offence but Bill you really are going in the wrong direction with this one. The Register normally takes a decent enough stance on data theft and the need for a greater powers for the ICO.

    Which phone book contains customer details? Do you mean the BT one that is now approaching the size of a magazine (if you take out the business listings) as there are hardly any customers who wish to be included in it as they don't want random marketing calls?

    How on earth do you feel justified in writing the comment that people will give up their contract renewal date if asked by a cold caller? Where are your sources to back that up? The only empirical evidence I presume you have is that you, yourself, are willing to divulge that information when asked?

    The cold callers in this case can use this information to deceive people into thinking they are calling from T-mobile. For example "Hello Mr Johnston, as you are a valuable customer I wish to offer you a great deal on the renewal of your contract next month..."

    This goes beyond the irritation of just receiving unsolicited calls.

    The other point is that the money that the staff were suposed to be making from these sales is far greater than the maximum fine of £5000 and so there is no disincentive to doing this.

    It will still be up to a court to decide the penalty but I can see some cases where a jail term would be warranted and certainly maximum fines that would allow recovery of all money made and more.

    Are you really happy that any of your information could be available for sale to anyone else with little repercussions? Credit applications, bank details, shop purchases, travel plans...Really?

  17. Craig (well, I was until The Reg changed it to Craig 16)

    Not just T-mobile insiders selling to other providers.

    I have under two months left on my T-mobile contract and T-mobile have a very clear "do not sell my details or pass them on without my permission" notification from me. Last week, I had 5 companies call me, all starting with a variation of "Hi, this is T-mobile, your contract is due for renewal", when pressed, they admit they're resellers who've bought my data from T-mobile.

    T-mobile deny selling my data when I challenge them, even though the reseller says they got it from T-mobile and there's not too many other ways they could get my name, phone number, address, renewal date, phone type, etc.

  18. Anonymous Coward
    Anonymous Coward

    Except that...

    ...the ICO didn't splash the story. They said it was a UK mobile phone operator and T-mobile decided to fess up. They could have kept schtum.

    I think however the issue goes deeper than most of the media version of the story would have us believe.

    T-Mobile admit some of their staff were doing this, but how did it all start? Somebody must have put the staff in touch with the brokers.

    The press are making much of the T-mobile staff being prosecuted. What about the brokers? If you want to stop the sale of data the punishments for buying need to be at least as harsh as those for selling.

    Who were these brokers working for? Is their any evidence their employers had any knowledge of what was going on? More potential for prosecutions?

    The other major operators were very quick to deny any involvement, but these brokers were selling contracts with their networks. How much investigation has been carried out to see if there was a more formal link? Have the other operators been investigated to see if it was only T-Mobile staff that were involved? I'm having a hard time believing it was that isolated.

  19. Anonymous Coward
    Anonymous Coward

    T-Mobile couldn't have handled it better?

    Fair enough, but it would appear T-Mobile had such a lax set of systems and procedures in place that they allowed the information to be taken out of the company so easily.

    They are certainly far from blameless in all this. If the people at the top knew that data breaches such as this meant their ass would be slung in jail, do you think they would be so blasé about data security?

  20. Martin Silver badge
    Thumb Down

    @AC - 11:32 - being a bit disingenuous...

    "...the ICO didn't splash the story. They said it was a UK mobile phone operator and T-mobile decided to fess up. They could have kept schtum."

    Oh, come on. You phone Orange, O2, Virgin, T-Mobile, Vodafone and one or two others, and say "Are you working with the ICO on a data theft case?" All bar T-Mobile say "No"; T-mobile refuse to comment. It doesn't take Sherlock Holmes to make the obvious deduction - and then they have to come clean.

    So technically, no, the ICO didn't splash the story. But they must have known the information would get out.

  21. djack

    @AC @ 11:32 GMT

    Admittedly the ICO didn't directly identify T-Mo, their publishing of the story directly lead to T-Mo having to 'fess up.

    We have five mobile carriers of any significance. The other four flatly denied that the story had anything to do with them. Journalists can easily put two & two together .

    T-Mo had two choices, either deny the story and face lots of accusatory stories about them doing so for months and then be completely roasted several months down the line when things go to court.. Or they could admit it now.

    If T-Mo are going to have any shred of believability when they claim that it had not condoned the leak they had only one choice.

  22. Anonymous Coward
    Anonymous Coward


    The ICO need to be careful that they dont make companies fearful of telling them about such incidents in future. If they feel that they are going to be splashed all over the front pages, as well as having to conduct all the usual audits and bureaucracy each time there's a problem then its going to make firms reluctant to let the ICO know.

  23. Havin_it

    We're gonna need a bigger jail...

    Not sure if I support sending anonymous T-Mobile goons to clink for doing what (judging by the comments above) everybody seems to be doing in the industry. Fines, both at the individual and corporate level, seem reasonable though.

    Like others above, I find the tone of this piece a bit off-message for the Reg, where consumer-data privacy breaches of similar or even smaller scale usually get pretty short shrift and the ICO is usually bemoaned for its lack of balls (well okay, lack of empowerment really).

    I don't like this behaviour one bit personally, and if I found myself subjected to it I'd be doing all I could to get someone punished/fired/fined for it. Am I petty, or is it just OK because everyone's doing it?

  24. Witty username
    Thumb Up

    this isnt new

    When i was with them years ago, i had calls "on behalf of tmobile" to offer me some dodgy contract.

    i found it great fun to get them to explain every single part of the contract, the phone, the price plan, the payments etc etc for a good 25 minutes (usually while doing something equally inane like playing WoW) then saying "actually...nah sounds shit, bye" then hanging up.

    they gave up after the 3rd time i wasted their operaters time. bellends

  25. Annihilator Silver badge

    Always happens

    I heard this story last night on the radio and assumed it was O2. Have nearly always received a sudden influx in cold calls from non-O2 people, trying to get me to upgrade. However - it could well be that O2 outsource their (what I imagine is called) "proactive retention team" to A.N. Other company. I've never stuck with the call for long enough before yelling F.O.

    A calm response I've started taking though, is declining to talk to any company other than X about my account with X and gently hanging up. I also like the new idea suggested by a commentard recently of "I'm sorry, I don't have a phone" and hanging up. My other favourite is "give me a minute while i find a pen for the details" and place them on hold until they give up and have an unnecessary phone bill.

  26. Anonymous Coward
    Anonymous Coward

    I suspect the ICO released the details pour encourager les autres

    Judging by the comments here and elsewhere, it's not just T-Mobile customers who've been cold-called by the switch-merchants: I'm with Orange and have received many calls from a Liverpool number asking me when my contract is due for renewal (asking why they don't know this already if they're calling from Orange and why they aren't calling from an 07973 number always elicits a hasty disconnection from the other end).

    T-Mobile's bad apples have been caught out here, but I'll wager the practice is widespread throughout the industry: the more publicity there is around this case, the more people will pay attention to unsolicited calls and the fewer will get scammed.

  27. TimB
    Black Helicopters

    So thats where they come from...

    I started a new contract with T-Mobile about 2 months ago. Previously I'd been on O2, and in 5-6 years I'd never had a single cold call. Within a week of moving, I was getting cold calls from one particular number offering me an 'upgrade'.

    At least now I know how they got my details.

  28. Anonymous Coward

    I'm a long time T-Mobile customer...

    And this is a cold call I received not so long ago...

    "Hello there Mr AC. This is T-Mobile and we've noticed that your contract is up for renewal soon. Would you be insterested in blah blah...?"

    "Er... I don't think so love, I'm on Pay As You Go. Nice try though!"


  29. Steve Renouf
    Big Brother


    It's the usual "Let's fear-monger this totally out of proportion so that we can get our ulterior motive policies through easier" processes at work.

  30. Anonymous Coward
    Anonymous Coward

    Blame the staff, why not?

    Four years with Tmo, including two 18 month contracts. At the end of each I got a ream of persistent calls from third party companies, some claiming to be tmobile trying to flog me a new contract. I moaned at TM each time, getting the usual bland fob-off from the Philippines, and an ongoing assurance that I WAS opted out of marketing info.

    Took a contract out with Orange and called TM a few days later to cancel the account - guess what? A mere 3 days before, someone - they claimed it was me - had renewed my contract. It was duly cancelled, and the TM bloke muttered something implausible about a third party agent renewing it to collect commission. In which case why on earth would they think it was me who renewed.

    The only defence for TM is that Three were infinitely worse - a call 4 times a day at one point pimping insurance.

    Unsolicited callers (which is anyone trying to sell me something) of any description get very, very short shrift from me. The only communication they get from me (before they get a word in) is "Just one second till I grab a pen..." Followed by snoring if I've been working nights, or silence the rest of the time. Surprisingly, the novices do give it a minute or so.

    Until they start jailing the staff running the sidelines, and fining the companies (more likely) who pimp the details something more that 200 percent of the profit made on each infraction, plus 10 percent of turnover for each year they're caught, this will roll and roll. Theft is theft, and I couldn't really care less how disproportionate the punishment actually is.

    Thieves, liars, cheats. And that's just the employers.

  31. Anonymous Coward

    Dealing in stolen property

    I thought dealing in stolen property was a criminal offence already.

    I thought it already had prison as a possible sentence.

    When can we expect someone to be locked up for dealing in stolen cellphone account records?

    As has widely been pointed out, fines don't work in cases like this or in corporate cases of any kind. In a corporate case, the fine just gets passed on to the customers and the managers/directors effectively go unpunished. If the laws were enforced in such a way that there might actually be an effective punishment, people in authority might behave slightly differently.

    Where do the MVNOs fit in this picture? Are their records at risk too if they're piggybacking on T-Mobile? (e.g. Asda????).

  32. Rob

    @Dunstan Vavasour

    Not likely, they are still basically civil servants, so it'll be when a red hot ugly fella starts skating to work that you can use 'bonus' in the same sentence.

  33. Anonymous Coward
    Thumb Down

    Had this been in an Indian Datacentre

    .. we'd seen much more hue and cry.. many more comments.

  34. Anonymous Coward
    Anonymous Coward

    Title shmitle

    I don't think it's so trivial. Once the T-Mob nogoodnik accepts Mr Shady Broker's offer of a wedge of cash for names, numbers and end dates it's easy for him to be blackmailed into passing more sensitive information. If the penalty was higher in the first place it may be more of a deterrent.

  35. Mark Eaton-Park
    Thumb Down

    It sounds like T Mobile have acted correctly and ICO have not

    I understand from your report that the reason that TMo were told not not disclose the data theft was to avoid damaging the legal case against said theft.

    I take it that the ICO can prove that they took legal advice that guaranteed that the case would not be weaken before making their broadcast. If the ICO cannot show evidence to support their breach of confidence then there should be an official investigation of the ICO.

    My reading of your report is that TMo acted correctly and the ICO have tarnished TMo's image for the ICO's benefit a clear case of abuse of trust.

  36. Anonymous Coward

    Bite back

    Funnily enough, O2 called me shortly before my contract with 3 was due to expire. I listened to the deal they were offering, thought it sounded pretty good, so called 3 and told them "look, my contract's almost up, O2 are offering this, what can you do for me?". Unsurprisingly they made me an offer I really didn't refuse! ;-)

    So cheers the bastard who sold on my details to O2, and up yours to O2!

  37. Anonymous Coward

    Re: Had this been in an Indian Datacentre

    Quite so. But because some dirty Britards peddle other people's personal info, it's probably celebrated in Thatcherite entrepreneurial circles as "making a bit of extra dosh on the side as a perk of the job" (with idiotic 1980s slang necessary to illustrate the mindset), despite the obvious illegality of it all. Unless the Thatcherite in question owns the company from which customer data is being pilfered, of course - then it's "unleash the hounds" given that "not sitting up straight" is a disciplinary matter in such enterprises.

    But yes: the average Daily Fail-reading Britard can't work up much indignation over such all-British affairs, unfortunately.

  38. Anonymous Coward


    What the F**k do you expect?

    An increasing number of staff are on temp contracts with no employment rights, targets are constantly being increased, staff are being told to accept it or go find a job elsewhere... then someone comes along and offers a wad of cash in exchange for customer details...

    So, How safe is YOUR data?

  39. Jax 1

    I disagree

    with the gist of your conclusion. I think it is okay for ICO to overplay this. You can have the right conclusion using the wrong reasoning, it's not exactly healthy but then again our society isn't very good at being consistent or sensible. I would cite the smoking ban as a good example of this (I argue the health risks were overblown, but it is out of order that non-smokers just had to tolerate smoking).

    Selling personal data is a serious problem and happens all over the place. You can easily ruin someone's day (or days) using their contact information and an auto-dialer. I used to work as a bottom rung teletard salesman and from that experience I know a hell of a lot of shady deals go on with customer data. I called people who insisted they had only given the details of their new number to either a high street bank or a well-known television subscription service. In some cases these people had only had their new number for a week! How did my company end up with these details?

    People working in industries that handle customer data are selling the data on and I think it is pretty widespread.

  40. JohnG

    Damage to T-Mobile

    I'm not a big fan of T-Mobile but it is not only their customers who are victims here: T-Mobile has lost business to competitors due to breaches of confience by some of their employees. Presumably, those employees can be terminated and possibly, sued by T-Mobile. T-mobile might also want to pursue the brokers who paid for the stolen data.

  41. adrianww
    Thumb Down

    I knew it!

    Up until I took out a contract with T-mobile a couple of years ago, my main email address didn't seem to have made it onto any spammer lists and I didn't really get much in the way of cold calls or junk texts. Since taking out that contract, I've seen spam directed to my main email address, had various cold calls from various companies (in spite of TPS registration) and do receive the occasional junk text from various places.

    I just knew they had sold on my details, but didn't have any proof. One of the cold-calling mobile phone brokers even claimed that they had got my number from T-mobile when I quizzed them about it. I wasn't sure I believed them at the time, but it seems like they were telling the truth.

    Scum-sucking, bottom-feeding, sputum-drooling, malodorous little oiks, so they are.

  42. Anonymous Coward


    So convictions for data theft end up with a custodial sentence, then how long until file sharing becomes 'data theft'?!

  43. peter garner

    Help! Police!

    No-one has mentioned the SFO so far - are we leaving it all to the ICO to sort out? That makes me feel a lot better.

  44. Anonymous Coward
    Anonymous Coward

    Not the only offender

    I'm sure Orange did this for years. Same deal as the O2 callers - a few months before/after contract expiry I'd get cold calls (and texts) claiming to be from Orange and offering me an upgrade.

    I've switched to O2 now and it did seem to stop over the last year or so but Orange were definitely doing this as well in the past.

  45. Anonymous Coward
    Anonymous Coward


    I'm suspecting that no one can ever make your data totally secure. When a new version of a PC operating system is available, one might expect it to be fully secure, but it never is. Always with the updates & patches. But I trust the company did all it could think of, at each stage, to avoid problems.

    Isn't it the same scenario with companies and your personal data? So long as all the systems and processes have been considered, and shown to appear to be safe, and any known risks are monitored, isn't that the most any company can do?

    Ultimately it is individuals who are the perpetrators of such crimes, and they can get employed by any company.

  46. The BigYin

    That expalins...

    ...why I kept getting calls, despite being on TPS.

    I hope they do get the jail.

  47. Anonymous Coward
    Anonymous Coward

    @Dan 10

    "1. Your sensationalist headline gives the impression that T-Mobile is itself responsible for the data being sold on, when the story states that the cause would appear to be a loose cannon within the company."

    T-Mobile is responsible. Their staff accessed data from their systems. T-Mobile should have much better systems for preventing this sort of thing. In their defence all they have is the fact that they reported the breach to the ICO when they became aware of it. It did, however, seem to take a long time before they became aware of the breach. So I'm afraid they must shoulder some of the responsibility.

    This raises quite a problem for the ICO. T-Mobile's data security is quite clearly crap and something needs to be done to tighten it up. So what does the ICO do. If they prosecute T-Mobile (something I would insist upon were I their customer) then that would discourage other companies from reporting such breaches. If they don't prosecute then this sends out a clear message that companies are exempt from prosecution as long as they fess up before they are found out. Quite a dilema.

    Oh and for those wondering how security could be tightened up there are many solutions. For a start the number of staff who can view contract details should be limitted to those who really need to do so to do their jobs. And even if it's not limitted it should be pretty easy to spot the users who are doing too many queries on such data.

  48. Anonymous Coward
    Dead Vulture

    Hang the messanger

    In this case ICO heads should roll. They forced T-Mobile to admit this had heppened when T-Mobile where not ready to do so. As a result customers have been put at risk and the people who bought the data will no doubt be hiding their tracks as we speek.

    So which MP is to blame for this. After all we are talking civil servants here so they would not do this without the authoraty from someone.

  49. vishal vashisht

    Question on Contract

    Since this is a breach of contract, Data Protection being a very important part of any mobile contract, can my friend who has been on T Mobile and is now receiving upwards of 3 calls a day asking her to upgrade sue T mobile for the entire cost and charges to the contract and end the contract with no penalties?

    I think that if a LOAD of T mobile customers call Breach of Contract and it loses a few millions pounds or preferably into bankrupcy, the other vendors will have to tighten up their procedures and we can hopefully kill off a few of these damned brokers as well.

  50. Anonymous Coward

    At least they're doing something

    Like others posting here (and elsewhere), T-mobile are hardly alone in this, although it sounds like at least they're willing to disapprove of it.

    I was with Orange for years, and they had precious little interest whenever I reported that some third party had phoned me offering me an upgrade, pretending to be them (not that I had much luck getting Orange support to do anything else, either - I was with them for as long as they had the best tariffs, never for their support, although I have a little more sympathy since the IE6 story broke). I wonder if T-mobile will change their behaviour after the merger. I hope not - I'm with them now.

    In the end, whenever anyone phoned me up offering an upgrade, I got them to admit who they were and then pointed out they were calling a TPS line. I don't think I bothered reporting them to anyone further afield than Orange, though.

    It could be worse. I had a repair man from Sky charge on the basis that I'd got conflicting stories from Sky and a third party about whether I was still in warranty, and Sky's customer service accused me of publicising my contract (with the Sky dish at the *back* of the house, where it's only visible from a few back windows) rather than showing any interest in the possibility that someone might be selling customer details.

    Frankly, anyone in the UK I can deal with. I'm a lot less sure how you report an Indian call centre for UK cold call regulation violations.

  51. Alexander Hanff 1

    re: Cost on Contract by Vishal Vashisht

    The DPA permits victims of breaches to take the offending company to court and litigate for damages providing damage can be shown. Damage does not have to be monetry it can also be psychological - so it is arguable that receiving calls several times a day can cause undue stress, but there would probably need to be logs of calls.

    Let me further add that I am incredibly disappointed with the tone of this article and as someone who spends the vast majority of his time defending consumers privacy rights I am incredibly disappointed with Bill's reporting on this issue.

    The misuse of personal data in the UK is a very significant problem that causes 100s of thousands of people a great deal of stress on a daily basis - for example, just yesterday we received a scam call at 5am in the morning and I know we are not alone with this problem. But more importantly our personal data is protected under law - and with the Lisbon Treaty going through Data Privacy will soon be a fundamental right on par with the European Convention on Human Rights and for good reasons which should be common sense for anyone who has been following the privacy debate over the past 20+ years.

    Also, the media, ICO and T-Mobile are using their staff as a scapegoat. We need to remember that actually under the Data Protection Act it is the duty of the Data Controller to ensure that sufficient safeguards and security are in place to prevent the misuse of personal data within the organisation - a point which has clearly been missed in all the reporting on this issue so far. T-Mobile obviously did not have sufficient safeguards in place otherwise this breach would not have happened in the first place - and under the DPA it is ultimately the company and the data controller who are liable - not the staff. T-Mobile are reported as saying they take Data Security very seriously - well obviously not seriously enough!

    Furthermore, this practise of selling personal data to data brokers is systemic to the entire commercial arena (not just telecoms) and I find it astonishing that ICO seem to only just be recognising that - this breach came as a surprise to no-one who has even the slightest interest in consumer rights.

    Should there be custodial sentences and larger fines (1 million Euros are already being discussed within Europe and £500 000 was recently discussed in the UK) damn right there should be. We live in one of the least privacy conscious countries in the entire world and pretty much top the surveillance league table of all developed western states and rank in the top 5 on a global scale. It is about time our fundamental rights to privacy were upheld and without substantial penalties to do that there is no deterrant.

    For years we have been complaining that ICO have no enforcement powers so I am dismayed to see anyone criticize ICO for using whatever weapon they have in their arsenal to increase their enforcement powers. Last week I spoke at the BEUC Forums 2009 conference in Brussels - the focus of the event was Consumer Privacy and Behavioural Advertising and the resounding message which came out of the event was an utter lack of enforcement despite there being reasonably strong legislation throughout Europe to protect the privacy rights of the citizen.

    Everyone should be aware that the Telecoms Reform Package (which is about to go through Europe) makes the reporting of data breaches compulsory for the telecoms industry - so in future don't be surprised to see more of this type of news hitting the press.

    To sum up, ultimately it is T-Mobile whom are both responsible and liable for this breach and yes consumers do have an option to seek remedy throgh the courts and I would seriously suggest that if they have evidence of damage that they take the steps outlined in the DPA to take T-Mobile to court - if for no other reason than to send a clear message to the sector as a whole that these breaches are unacceptable and will carry consequences.

    Alexander Hanff

    This is a personal statement by me and whereas it probably matches the opinions of my colleagues it is not an official statement on behalf of Privacy International.

  52. Courion

    Data Breaches Happen Far Too Often

    Companies need to have a strong access management strategy in place to protect all critical applications and data – especially customer databases – and further need to ensure that the access strategy and corporate policies are being adhered to across the business. Insider data breaches like these rear their ugly heads far too often, and it’s important for enterprises to ensure that they aren’t simply trusting their employees to do the right thing, but also utilising automated preventative and detective controls to keep everyone honest.

    Stuart Hodkinson, General Manager, Courion

  53. WestMidlandsICT

    It's a major concern in the industry.

    My company has been approached by networks in the past about this problem – it's a major concern in the industry.

    There are a range of tactics used to get customer data about the networks people use, their specific accounts and even if they have insurance for their phone. Companies then use this information to contact a customer, offer them a better deal and steal their business – it’s commercial espionage and theft of data on a massive scale. It also undermines networks providing good services to their customers.

    The risk is often the ‘trusted insider’ who goes bad – and technical security procedures and policies alone won't prevent it. Networks need to diagnose the problem up-stream, getting to grips with their customer data and monitoring how it (and hence the customer base) behaves as a whole over time. It’s important to understand the big picture in terms of your customers' behaviour – the problem with mobile phone networks is that they have hundreds of thousands of customers. Can you imagine a smaller business failing to know its clients, unconcerned about whether they retain them and not watching for signs of competitors stealing them away?

    By continuously auditing, monitoring, assessing and diagnosing their client base it's possible to see problems as – or even before – they occur. If the technology notices that a particular pattern of standard behaviour starts to become erratic or considerably changes, something might be afoot. We specialise in this kind of monitoring, letting networks know the state of health of their client base and helping to control the conditions that retain customers and protect them from fraudsters.

    Another tactic used by unscrupulous companies is to use ‘Autodialler’ machines, which randomly dial phone numbers using smart calculators. They already know the type of number generally owned by each network, then callers use social engineering techniques to find out more about the customer's account and offer what appears to be a better deal and also win the insurance business for the phone. Together this can be very lucrative.

    The difference between an Autodialler and a data thief is that the Autodialler doesn’t need to enter the company database. Some may say this is fair game but that couldn’t be further from the truth – left unchecked this situation can develop into a continuous ‘churning’ of customers, driving prices even lower so service suffers, customers suffer and the businesses involved become difficult to control and manage. It undermines the economic basis for developing good standards by service providers; if the problem grows then the temptation for everyone to do it is overwhelming. We should remember that these businesses employ people, provide taxes for the economy and develop new technologies we can sell internationally. It is not in anyone’s long term interests to engage in this. In the short term the ‘sharks’ using Autodiallers make vast amounts of money but inevitably someone will try it on their service provider as well. And, so the story goes on....

    Richard Leary - Forensic Pathways

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022