back to article Data-nicking UK car repairman jailed six months instead of copping a fine

A UK car industry worker who abused his customer database access to send data to telephone scammers has been sentenced to six months in prison. Mustafa Ahmet Kasim, of Rayleigh Road, Palmers Green, London N13, pleaded guilty to one charge under the Computer Misuse Act 1990 of causing a computer to perform a function with …

  1. Voland's right hand Silver badge

    Bollocks

    Both NARS and Audatex's makers were said to have made changes to reduce the probability of such a thing happening again.

    Bollocks. I will believe that after a visit to the bodyshop which does not end up with a couple of years of scam phone calls. For the time being all of them do. For one person who got caught there are hundreds of ones who did not sitting in your local insurance industry approved body shop.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bollocks

      Actually, I know a little bit more about Audatex for reasons I am not allowed to expand on.

      I know for a fact that these guys are *very* serious about security for a number of reasons, so I suspect there must have been some stiff internal discussions about making sure this doesn't happen again.

      (I don't work for them, but let's just say that I'm familiar with the repair processes in the automotive world and Audatex play a rather active role there).

  2. johnfbw

    Congrats

    Now if we can find who have been selling my data to the PPI companies I would never get another phone call

    1. Anonymous Coward
      Anonymous Coward

      Re: Congrats

      You're being a bit naive if you think the robo-calling PPI leeches have the slightest idea whether you ever had PPI, let alone were miss-sold it.

  3. James 51

    I don't know if they police were being creative. He used someone else's login to cover his tracks, the unauthorised access part of the law clearly applies.

    1. Anonymous Coward
      Black Helicopters

      Avoids data breach rules if you say it was "unauthorised access", and sweep the rest under the carpet?

      1. Alan Brown Silver badge

        > Avoids data breach rules if you say it was "unauthorised access",

        The computer misuse act defines "unauthorised" as including "in excess of authorisation"

        I'd say slurping up details unrelated to the exact jobs in hand would qualify (and could also be used against anyone who looked up a celebrity's or ex's details on the police or NHS systems too)

        This is why you must be very careful what you wish for. One of the "Wishlist" laws which is wending its way through the system at the moment is aiming to make simple trespass a criminal act. It's aimed at dealing with all the traveller incursions on private and council land but I can see it being widely abused against anyone that "security guards" in "public but not public" spaces (like most open spaces around urban London) don't like. It'd be even more ironic if it was used against a Hunt that traipsed across someone's land chasing their dogs after they'd got scent of a fox (this is a regular occurance in Surrey and landowners who are opposed to Hunts would do it in a heartbeat)

  4. Lee D Silver badge

    Good.

    The more cases like this I can point at, the less chance I have of any resistance to my "least privilege principle" processes.

    Question: Why does the software allow blanket access to names and addresses of customers that he's not even dealing with?

    I actually would posit that almost all call-centre software should be illegal under GDPR because you have no need to actually KNOW what the customer's address / phone number actually are. You just get put through to them by the system, and unless they ask you to change or confirm the address, you have no need to do so much as request it (via, say, a "Request" box on each database field), and so any blanket-requesting of customers would flag up under auditing rules, and any attempt to "mass export" the customer list would just fail and set off the flashing red lights.

    Remember: If it's not REQUIRED for your job, you shouldn't have that access to that data. 99.9% of the times I've called up any utility companies, taken a call from suppliers, etc. there is literally zero need for them to personally have access to any of those details.

    "Shall I ship it to you home address sir?"

    A) "Yes please". Done. No need to do anything but "deliver".

    B) "Hold on, I moved recently, which address do you have?". Call operative presses Request on the address, the grey box for address only gets filled out from the database, operative reads it out, confirms it. Done.

    We honestly need to start designing systems around least-privilege (again) before the law catches on that it's own definitions require it.

    1. ibmalone

      I actually would posit that almost all call-centre software should be illegal under GDPR because you have no need to actually KNOW what the customer's address / phone number actually are.

      While I (and hopefully anyone with sense) would agree with the general "restrict access to required data" principle, there is also a need to ensure data held is accurate, which could be used to justify things like checking phone number, and if a delivery is planned, the accuracy of the address they have on record.

      1. TwistedPsycho

        Accuracy is not required......

        Unfortunately, the requirement to ensure data is accurate does not apply to all.

        Take for example one of the large original banks. Two years after moving into our house and sending back numerous demands for cash - which you could see through the flimsy envelope - we exercised our right phone the bank, talk to their Business Banking department, advise them that their customer had moved out previous and read the account number and address through the address window of the envelope.

        Despite threatening to call the police on us as we had breached data protection, over the next few months us getting a knock from collection agents and us proving to them and the bank that we now own the house; as it was a business-to-business loan, the bank was under no obligation to keep its details up to date and said it would keep sending letters and bailiffs.

        I walked into their local branch with the letter, to their open plan business banking section and discussed the situation with one of their managers, in full earshot of all their customers. Their manager even got the same response from their own B-2-B banking team.

        So no, the data protection principles on data accuracy do not apply to some call centres....

        (This started sounding like a rant at ibmalone, it is not and merely a story to the contrary of the point of data accuracy)

        (/rant)

        1. Spazturtle Silver badge

          Re: Accuracy is not required......

          " the bank was under no obligation to keep its details up to date and said it would keep sending letters and bailiffs."

          This is why you record your phone calls, them saying that is them admitting to harassment and extortion.

        2. Doctor Syntax Silver badge

          Re: Accuracy is not required......

          "Unfortunately, the requirement to ensure data is accurate does not apply to all."

          The requirement applies. It's just that businesses aren't always good at applying it. The more self-important the business the less good they are.

          "Despite threatening to call the police on us as we had breached data protection"

          In the circumstances my reply would have been "see you in court - as a witness against you for wasting police time".

        3. Alan Brown Silver badge

          Re: Accuracy is not required......

          "Take for example one of the large original banks"

          You should name them.

      2. Alan Brown Silver badge

        "there is also a need to ensure data held is accurate, which could be used to justify things like checking phone number, and if a delivery is planned, the accuracy of the address they have on record."

        These only need to be _displayed_ when accessed for that purpose - and such access should be audited.

        Showing them to all and sundry means you don't know who's writing them down or screenshotting them.

    2. Mongrel

      "Shall I ship it to you home address sir?"

      If you could trust the customers to do that...

      The number of times I heard

      "Shall I ship it to you home address sir?"

      "Yes, please"

      "Let me just confirm that, 123 Random Street, Anytown"

      "That's not right, I haven't lived there on years!! Why have you got that address?"

      or

      "That's my Brothers\MiL\Friend who could be in to accept delivery"

      or

      "I forgot I used a made up\deliberately incorrect address"

      *sigh* And then was our fault when replacement item\call-back never happened

      I agree, the info shouldn't be as freely available as it is but there needs to be a certain amount of verification, maybe a "Confirm address" option which routes it through software (our 5yr old Garmin does a very good job of pronouncing street addresses) then back to the operative for call close

      1. Anonymous Coward
        Anonymous Coward

        Re: "Shall I ship it to you home address sir?"

        "[...] maybe a "Confirm address" option [...]"

        In the UK a postcode on its own will be sufficient for confirmation in the vast majority of cases.

        I was impressed by an online order today. After I typed the first line of my address - it instantly offered all the possible valid house addresses that matched in any town/city in the UK. Not sure what it does when the road name is very common eg High Street, Station Road, Church Street.

        1. HieronymusBloggs

          Re: "Shall I ship it to you home address sir?"

          "In the UK a postcode on its own will be sufficient for confirmation in the vast majority of cases."

          It only confirms that the street address and postcode match, not that the customer has given you the correct address.

      2. MR J

        Re: "Shall I ship it to you home address sir?"

        If delivery groups could offer a good service there wouldn't ever be a need to tell a lie about where you need/want something delivered.

        A few weeks ago the royal mail guy (or gal) gave up on my street, stuck EVERYTHING through my door. I had like the remaining 9 homes on my street and the first 4 on the next street....

        DX (Delivered Exactly LOL) sent me a text to say my delivery should be with me tomorrow, please be at the property between 6am and 8pm with valid identification. To be fair, it was exactly delivered in the time they gave me, I am just glad they didn't say between November 1st and November 30th.

        And then I know a guy who moved like 9 years ago, and the council, BT, his pension provider, and lots of other people still send stuff to the wrong address. I can only guess it's because his post code hasn't changed so phone/office staff just look at the postcode and throw the sheet away thinking it's been done.

        Then there was the time someone else used OUR phone number to sign up to Sky... Because we didn't know the persons name, address, sky account number, security details, or anything, they refused to remove our phone number from the account. Funny thing was, they were willing to upgrade packages for me - without needing to pass a security check.

        So lets not just blame customers for the failings of big business and how it makes them do things.

        1. Doctor Syntax Silver badge

          Re: "Shall I ship it to you home address sir?"

          "And then I know a guy who moved like 9 years ago, and the council, BT, his pension provider, and lots of other people still send stuff to the wrong address."

          We had that for some time until I phoned the sender and told them there would be a £10 handling charge on every item I sent back to them and if they didn't pay I'd have no qualms about taking them to court. It stopped.

    3. Doctor Syntax Silver badge

      "99.9% of the times I've called up any utility companies... there is literally zero need for them to personally have access to any of those details."

      It depends what the call's about. If it's to do with utilities there can be a definite need to know as the physical network can be a problem. Recent anecdotal evidence is that the call centre doesn't know enough. Last week the road was closed for water main work almost at my gate with no notice. The call centre operator was sure it was a different road that was affected.

      Yesterday the internet connection went dead. And then it died a second time. Checking the phone showed no dial-tone either. When I finally got back online I rung BT. The immediate response was to offer an engineer visit (at a cost of £85 if it was a false alarm); no no faults or work in the area. I went down to the village and found 2 Openreach vans with one engineer working at the cabinet and another down a manhole doing remedial work on the cable between the two. Call centre don't have access to that information or aren't able to relate location of work to physical addresses.

    4. Chris Evans

      Great idea, BUT.

      Currently many companies won't talk to you even about non specific account questions without asking three or more security questions including your full address. I keep telling them that asking so many questions is I believe a breach of the law! One company even insists on the full address saying that postcode and house number is not enough adding the road name still doesn't satisfy them.

    5. Alan Brown Silver badge

      "I actually would posit that almost all call-centre software should be illegal under GDPR because you have no need to actually KNOW what the customer's address / phone number actually are."

      You're probably right. The problem is that the ICO is deliberately kept as nobbled as possible by the government, so their friends can thumb their noses at the law. Have you noticed that despite the egrarious breaches of privacy that go on, only a few actual enforcement actions get reported? They're the ones that are so extreme that they can't be ignored, or where the target can't lawyer up enough to fight the ICO off.

  5. Anonymous Coward
    Anonymous Coward

    Used to work for Solera

    I used to work for one of Soleras other companies, and I can say that he probably didnt even need someone elses login details, if its like the rest of their products they use a sqlexpress backend with cloud backups :SMH:

  6. Anonymous Coward
    Anonymous Coward

    Time will tell

    Hopefully this is something that will become standard policy, and not just a one-off token window dressing for the ICO.

    I won't be holding my breath though, for more reasons than you could shake ........ etc etc.

    Hopefully this won't reach the mainstream media; if it does, I'll end up wasting more breath trying to stop my parents engaging in the sorts of conversation with these f*ckers that includes revealing their credit card details.

    1. Doctor Syntax Silver badge

      Re: Time will tell

      "Hopefully this won't reach the mainstream media"

      1. I don't know why you hope that. It should reduce that.

      2. The Beeb had it before el Reg.

  7. Anonymous Coward
    Anonymous Coward

    Far too common

    There is a car hire company in the city I live in that does the same. Every time I have had some kind of bump and insurance is involved my hire car always comes from the same place. And every time they have been involved it is only days before I am getting the calls from the scam lawyers asking me if I want to claim for whiplash.

    Why do I blame the car hire company? Well I have changed insurers and still the scam happens. The only common part is that hire car company.

    Damn good to see the law dropped onto this gits head. Hope to see more of this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Far too common

      Seconded on blaming the hire car company.

      When my car was written off the insurance company paid up in a couple of weeks, Gap company paid up soon after that - great all done I thought.

      18 months later I was still answering legal requests about the hire companies £2,000 claim for two weeks use of a crappy little shopping trolley.

      anon & not naming them because they specialise in outrageous court claims (same address shared by their 'legal' company)

    2. Lee D Silver badge

      Re: Far too common

      Next time give them a PAYG phone number and a forwarded free email address that you have never given anyone else.

      Cost: Pence.

      Impact: Nice letter winging it's way to them and the Data Protection ombudsman saying you've totally abused the data I've given you without permission and/or failed to secure it and not notified me of a breach... which is it?

      P.S. Have done exactly this. Have screwed company to wall who used a stolen customer database. I know they did because (in my best Del Boy impression "That's not the hand I dealt you...") this case... That's EXACTLY the email address that I only dealt SOMEONE ELSE and not you...

  8. JLV

    Great. Now, how about applying this newfound severity, with jail time proportional to the volumes, to the bosses involved in some of the bigger data breach.

    Thinking Cambridge Analytica, Equifax...

    Oh, and some of the direct “just following orders” worker bees doing the dirty work too.

    Don’t even always need real - taxpayer costly - jail time. Suspended sentence and criminal record is a good start.

    1. gnasher729 Silver badge

      The jailtime wasn't due to the severity. He got jail because he wasn't an employee anymore and had no right to access the old employer's computers at all, so he was caught by computer hacking laws. If a regular employee did this (one that had permission to access the data, but obviously not permission to send them to a competitor), it would have only been a data protection violation.

      Of course the company can sue him and the receiving company for damages in any case.

      1. JLV

        I don’t disagree about the particular legal criteria leading to his conviction.

        I’m saying that when you have severe data breaches then individual should be liable for gross negligence or malfeasance.

        In Equifax that might end up on whoever cut security budgets to the bone rather than the hapless sysadmins.

        Cambridge would be whoever started slurping - who ordered it & who did it.

        Assumption of innocence: unless it is proven either negligent or intentional, person walks away. Don’t want the job of sysadmin to become exposed to spiteful scapegoating either in case of honest errors.

        Look at medical, public transport operators, etc... for guidelines.

        But it’s high time we make individuals liable - large data breaches, not this particular lowlife, can result in thousands, if not millions, being exposed to fraud. How much crime will that facilitate? Not particularly fond of filling up prisons, but at some point it becomes worthwhile to dissuade certain types of crimes or negligence by harsh penalties.

        Think of it this way: why are we cheering this bozo getting 6 months and accepting a truly trivial monetary penance from Equifax?

        1. Doctor Syntax Silver badge

          "I’m saying that when you have severe data breaches then individual should be liable for gross negligence or malfeasance."

          GDPR and DPA 3.0 both have this provision but only with fines administrative penalties as punishment. As it's an administrative penalty (except in those countries that don't allow administrative penalties) there'd be no criminal record.

      2. Anonymous Coward
        Anonymous Coward

        "Of course the company can sue him and the receiving company for damages in any case."

        Indeed. That's what Enterprise did: https://www.theregister.co.uk/2017/01/06/former_employees_at_car_rental_biz_sentenced_over_nuisance_phone_calls/

        Fines of £7,500, £3,000, and £1,200 from the ICO, and civil damages payable to Enterprise totalling £400,000.

    2. Anonymous Coward
      Anonymous Coward

      Great. Now, how about applying this newfound severity, with jail time proportional to the volumes, to the bosses involved in some of the bigger data breach....Thinking Cambridge Analytica

      Cambridge Analytica will never be properly investigate and prosecuted, because of the company's connections to the security services, and all the dirt that could be dished. I expect a token fine, paid quietly and promptly, and everything swept under the carpet, whilst the same people go on to conduct the same business under a different name. Although they'll probably be more careful to try and avoid being caught in future.

      1. BebopWeBop

        Well connections to various political parties will probably do the supression job just as well.

  9. Anonymous Coward
    Anonymous Coward

    Such cold calls I get are obviously speculative as I do not have a car - and have never given "Microsoft" my home address. The latest caller was very insistent he really was Microsoft support - his justification being how else would he have my name and telephone number.

  10. This post has been deleted by its author

  11. Cynic_999

    "... even if, as is routine these days, he will serve a maximum of half that time behind bars.

    "

    The word "routine" makes it appear to be something that is optional, and "these days" makes it sound as if it's a recent thing. Neither is true - sentences have comprised a certain proportion to be spent in prison and the rest out on licence for many decades (though the exact proportions have changed from time to time). The media always makes out that release from prison before the entire sentence is served is some sort of discretionary concession. It isn't, it follows mandatory rules of which the sentencing judge is well aware.

  12. John Savard

    Creative

    Given the harm caused to customers here, it should not have been necessary to depend on a fortuitous circumstance that permitted charges under the Computer Misuse Act to impose jail time. So the Data Protection Act urgently needs to be amended to provide for prison terms and criminal conviction as well.

    1. Anonymous Coward
      Anonymous Coward

      Re: Creative

      "So the Data Protection Act urgently needs to be amended to provide for prison terms and criminal conviction as well."

      The GDPR, which the UK enacted in May this year does. This case almost certainly predates that, so the option was not available to them.

  13. hellwig

    Your data out in the open.

    All these companies and governments want you to trust them with your data, but they make little to no effort to actually secure that data. Even if you trust an organization or government, you cannot trust the individuals employed by those groups. How many country clerks, office admins, IT schlubs, etc... do you hear about doing something unscrupulous or down-right illegal?

    The individual is always the weakest point in any organization, that's why phishing attacks are so successful. Even if someone isn't outright evil, being stupid is just as bad sometimes.

  14. clyde666

    one law for the ...

    No sympathy at all for the miscreant, but jail time for the little guy versus a throw-away fine for any sizeable company. Justice ???

  15. Torchy

    Remember that name.

    Remember his name for when he goes looking for his next job.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like