back to article Unauthorised RAC staffer harvested customer details then sold them to accident claims management company

An employee at emergency roadside rescue biz RAC has received an eight-month suspended prison sentence for unsanctioned access to computer systems that saw her sell customers' data to an accident claims management company. Kim Doyle pleaded guilty to charges of conspiracy to secure unauthorised access to computer data and …

  1. AMBxx Silver badge
    Facepalm

    Competition for the RAC?

    Don't the RAC already sell this stuff?

    1. Wellyboot Silver badge

      Re: Competition for the RAC?

      Yes they do but legally.

      They'd be hauled up on similar charges if that resulted in a breach of the rules, hopefully with all directors sharing the personal pain.

      1. Anonymous Coward
        Anonymous Coward

        Re: Competition for the RAC?

        The only sin is that the chick was caught pilfering data that RAC already sells legally.

        In the US, she'd be fired and that's it.

        No charges.

        The sad thing is that if you look at the T&Cs you give these companies the ability to do this. You have no choice because they all do it.

        And its not just RAC. Other companies do it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Competition for the RAC?

          In the US, she'd be fired and that's it.

          The miscreant was a he - para 4 refers to "his sentence"

      2. Missing Semicolon Silver badge
        Devil

        Re: Competition for the RAC?

        You are joking.

        The RAC are too big for that. "Lessons would be learned".

        There are senior executives involved - different rules apply.

    2. Grease Monkey Silver badge

      Re: Competition for the RAC?

      They do sell it but only if you've checked the box that says you authorize them to pass on your data to trusted partners. Remember this stuff is strictly opt in by law.

      Although I suspect that now we are out of the EU it won't be long before this becomes opt out. With the only way to opt out being to send them a letter countersigned by the prime minister.

      1. Anonymous Coward
        Joke

        Re: Competition for the RAC?

        > With the only way to opt out being to send them a letter countersigned by the prime minister.

        You're in luck! I've got a selection of opt-out template letters countersigned by the PM for various situations, only £5 each. Just send me the £5 and the name and address of the organisation to send it to and I'll fill it in and post it for you - what could be easier? :-)

      2. Cynical Pie

        Re: Competition for the RAC?

        Nope, no change to the opt out/opt in bit as in order to do business with EU punters UK companies need to comply with the GDPR even though we are now out of Europe.

        The only change is the UK version of GDPR has removed all references to the EU and EU institutions.

        In the RAC's case if you have overseas breakdown cover and your car is recovered by their partner firm in France or wherever the RAC need to be fully compliant with EU GDPR to provide the service to you as you personal data will be travelling to and from the EU.

        1. stungebag

          Re: Competition for the RAC?

          What? We're following EU rules on GDPR?

          It's a disgrace, take back control and so on.

  2. Wellyboot Silver badge

    To discourage any others

    This is a good start.

  3. Grease Monkey Silver badge

    Not even close to a strict enough punishment.

    Both should have been subject to hefty fines as both will almost certainly have gained financially from the arrangement. Then the claims management company should have been subject to a significant fine.

    Finally the RAC should have been fined. Yes they co-operated. Yes they caught the rogue employee. The reason that they should be fined is that their systems allow the bulk export of data. I remember years ago being a member of a corporate data protection board I explained to one department that their systems allowed personal data to be exported in bulk which was in breach of our data protection declaration. I pointed out that one default report included customer names, addresses, phone numbers, email addresses and bank details. I asked the the idiot (sorry department manager) why this was necessary and he could not provide a single instance where having all that data together in a handy spreadsheet was necessary. In this particular case there should be no reason why a report containing the customer names (albeit partial) and mobile numbers in a single bulk report should be necessary.

    1. Daedalus

      The reason that they should be fined is that their systems allow the bulk export of data.

      Exactly. Remember all those "we lost a CD with 100,000 names, NI numbers and addresses on it" incidents? So many systems just store everything in plain text for anybody to download, instead of requiring a single lookup key to find a single item. It would be a lot easier to secure people's data if the sensitive parts were stored as hashes so that they could only be used as lookup keys. But even in the credit card world, people use workarounds so they can view actual numbers, rather then inputting them into the query to see if a given card is valid. Many data hosting services have to spend significant time purging out anything that looks like a plaintext CC number.

    2. IGotOut Silver badge

      1. Read the article. They have both been "fined". Failure to pay results in a prison sentence.

      2. Where does it say bulk export? She could easily have sent an email everytime she dealt with it. If she is a call handler, then sending out details of names, addresses and other persobal details would be part of her job, so again no easy read flags.

      1. Grease Monkey Silver badge

        1. No they weren't fined. Those were just orders to reclaim the profit they had made. The point about fines is that they should be punishments rather than just orders to repay the money you have made. The latter is not really much of a punishment as it just takes you back to square one. Also these are often based on underestimates of the amount of money received if no records are available - and it would be a pretty special kind of criminal that kept detailed records of their misdeeds.. And the additional grand is contribution to legal costs rather than a fine.

        2. If she was doing for cases she'd handled then she would have had more information than partial names and mobile numbers.

        When it comes to financial penalties remember that the ICO has had the power to levy unlimited fines since 2015.

        1. Pascal Monett Silver badge

          Re: it just takes you back to square one

          Not if you've already spent the money.

    3. Anonymous Coward
      WTF?

      Strict

      What bothers me is the suspended sentences. Both should be spending time in the lockup rather than just the lockdown.

      Punitive fines rather than just recovery of profits also should have been assessed.

  4. Guy de Loimbard

    These type of activity is a plague on humanity

    I for one, am glad this type of activity is being investigated and reasonably thoroughly, whether the penalties applied here are sufficient, remains to be seen, but having a suspended sentence is not going to help with onward employment surely?

    Speaking from experience, I was plagued by claims management parasites after being involved in an accident some years ago. It's frustrating to say the least when your phone is going off constantly with spurious calls purporting to be the "Claims Management Company", I'm sure the myriad databases the insurance industry uses are being mined, legally or otherwise, and I object to my information being farmed out.

    Perhaps this incident will help drive this sub culture away? One can only hope!!

    1. Grease Monkey Silver badge

      Re: These type of activity is a plague on humanity

      Rather than "claims management company" I've had two types in the past.

      Number one "I am calling on behalf of your insurance company" to which a good response is to ask them for the name of your insurance company. Due to the nature of the data they often won't know it.

      Number two "I am calling about the motor accident you had in the last three years". Clearly these buggers are as dodgy as possible and the best response is to simply hang up. Or if you have nothing else to do string them along and waste as much of their time as you possibly can.

      Seriously though I had an accident earlier this year and received an iffy looking letter from a solicitor which wasn't very clear about what they were trying to reclaim and from who. I called the my insurer who explained that the letter was from a solicitor who they had engaged to try to recover my excess from the third parties insurer (this wasn't clear it looked as if they were trying to recover it from me) and that they should never have written to me as it wasn't really of any consequence to me. So sometimes insurers do employ third parties to manage claims or parts thereof, but these companies should not be communicating direct with you they should always do so through your insurance company unless your insurers have informed you of it before. As such I am told the best way to deal with any of these companies is to refer them to your insurer. If they are not happy with this or try the "but your insurer asked us to contact you direct" ask them for their name, company name and phone number along with their case number and tell them you'll be calling your insurers to authorise the call. Explain that if the insurer do authorise the call you'll be calling them straight back, otherwise you'll be calling the police and the ICO. This tactic will generally be rewarded with a rapidly terminated call.

      1. Anonymous Coward
        Anonymous Coward

        Re: These type of activity is a plague on humanity

        Regarding #2

        I've been plagued by these calls with the same MO since an accident in 2014. A couple of months ago, rather than concoct some elaborate story involving donkeys, rainbows, etc, I sensed that I was speaking to someone with a conscious. "But I don't have a car. In fact, I've never had a car...." along with, "if you could be kind enough to take me off your database, I'd be eternally grateful."

        Touch wood (oo-er) I've not received another call.

        1. Dave314159ggggdffsdds Silver badge

          Re: These type of activity is a plague on humanity

          I just tell them I've already got compensation. Seems to work. If they ask how much, tell them a few hundred thousand, puts it out of their league.

      2. myhandler

        Re: These type of activity is a plague on humanity

        Yep - I had a claims adjustment guy, phoning from Liverpool when I live in London, saying " Now we've inspected your lovely motor all you need to do is approve this..."

        You'd think I had a flash Jag or a Beemer, nope.

        Nothing to link him to the insuracne company either.

    2. Richard Jones 1
      WTF?

      Re: These type of activity is a plague on humanity

      It is not just those who had an accident who get a parasite call. I dashed to answer my wife's phone when she was unable to answer quickly when expecting a legitimate call from a known source. Instead, it was a damned parasite 'false claims company', they got no further before being told to b*gg*r off. Perhaps I should report the sods to ICO.

    3. Archivist

      Re: These type of activity is a plague on humanity

      My wife gets these, and has a brilliant patter:

      We're phoning about about your accident.

      Which one?

      Umm the one recently.

      Oh, the one where I lost both my arms and legs?

      (Caller hangs up).

  5. Grease Monkey Silver badge

    This stuff is not unique to the RAC but the ICO seem to have difficulty tracking down the perps. In this case it seems that they only got a result because a victim managed to point the finger at the RAC as the source of the leak.

    I tried to raise a case once after a similar call about a car accident. It was clear the caller had some details but they were very limited. This then led me to believe that the had come by the data by nefarious means. If they had a right to the data it would have been much more complete. However I was told that I could only make a report of a data breach if I could provide the name of the company who had suffered the breach. The trouble is that the data could have come from a number of sources, my insurer, the third party's insurer, the company who'd towed the car, the body shop who assessed the car, the company that collected the write off and perhaps a few subcontractors as well. I explained this but was told that without a specific company name there was nothing that could be done. Since there was no way I could identify the source of the leak (all they seemed to have was my name, phone number and strangely the month of the accident - not the full date) there was no way I could procede.

    However given those three specific items of data you'd think the ICO would have been able to work out which of the companies was the most likely source since they could surely ask to see the reports. After all it seems somebody had got hold of a monthly report that included partial names (they only used my surname), and phone number. Obviously there was probably more information than that on the report, but nothing they would have found useful to give me on the call. As such you're looking at it being unlikely to be my insurer as they would have had more personal information. However all of the others were likely to have that data, but no other personal data. The other thing all of them would have had would have been my registration number, but strangely that was never mentioned on the call. But then maybe that wasn't included in the particular report that was leaked. To look at it another way it could even have been something as simple as a phone record. It if was the latter then my insurer, the tow company and the body shop all called me on that number and knew my surname. But once again this apparently wasn't enough for the ICO.

    The ICO needs 1. More teeth and 2. KPIs to work on. If they had a clear up rate they had to meet I'm sure they would try harder.

    1. Anonymous Coward
      Anonymous Coward

      Sounds recognisable. In my case I was pretty sure it was the (big name) car hire company my loan car came from after my car was in an accident. Only them and the Insurance company knew the details in the phone call. It was a few years back now so I can't remember the details of why I was certain it was the car hire people.

      I assume it is the ambulance chasers who approach the staff at places like this. Pay them for tip-offs.

      1. Grease Monkey Silver badge

        I had forgotten the car hire firm. The courtesy car was delivered by a car hire firm and they would have had my name and phone number but no other details of the accident.

      2. Persona Silver badge

        In my case I was pretty sure it was the (big name) car hire company my loan car came from after my car was in an accident.

        Correlation is not causation. I've been called by an automated system where a girl says "I believe that you have been involved in an accident that wasn't your fault. Is that correct?" If you say "yes" or possibly make any noise whatsoever you get connected through to a real person (different voice) who wants to be your best friend and gather all your personal details. As I hadn't been involved in an accident I had great fun telling them that I had and not giving them anything else.

        1. DJV Silver badge

          When they ask you how seriously you were injured tell them something like "I was decapitated" and see how long the pause is before they continue their speil (which they will).

    2. 96percentchimp

      The ICO needs 3. Sufficient staff to conduct these investigations.

      If they're like any other regulator or ombudsman I've known, they never have the resources to keep up with the number of complaints, and your case could tie them up with endless searches for enough data to identify the company at fault, let alone the individual if it's a leak like the one in the original story.

  6. Peter 26

    Only 8 months suspended?

    These cases are so hard to investigate and uncover it's disappointing an example is not made of the few actually caught and prosecuted.

  7. Grease Monkey Silver badge

    Once upon a time you had to be a proper law firm - well solicitors - to carry out this sort of work. But the law changed and "claims management" companies came into being. They don't have to registered with anybody and don't have a regulatory body. Then people are surprised when they turn out to be dodgy.

    There are trade bodies and regulatory frameworks for solicitors and insurers, but no such thing for these "claims management" companies. The simple solution would be to make them sign up to the same system as insurers. Half of them would go out of business overnight as they wouldn't want the extra expense.

    1. Anonymous Coward
      Anonymous Coward

      Although I suspect that now we are out of the EU it won't be long before this reverts back to solicitors only.

      1. John Brown (no body) Silver badge

        People like you really ought to look at all this concumer legislation brought in from the EU and find which countrys instigated it, which enthusiastically supported it to get it passed and which ones then "gold-plated" it to make it even stronger ion their own jurisdiction. You might nbe surprised to learn that quite a bit was at the behest of or strongly involved the UK. Stop beleiving the propoganda from the anti-EU side when they blame the EU for everything.

  8. myhandler

    These two should have done time - it has to be taken seriously.

    And the RAC need a hefty fine for having a lousy data protection scheme.

    1. N2
      Trollface

      Then forced

      To buy a new battery for their cars

    2. Dave314159ggggdffsdds Silver badge

      The 'crime' is making a bunch of nuisance/spam calls, and assisting with that. Prison seems just a little OTT.

      It's much more concerning that RAC have no data security.

  9. Anonymous Coward
    Anonymous Coward

    Makes a mockery of the law...

    ... when there is no difference between RAC selling it to scammers and a single person doing the same for personal profit.

  10. Anonymous Coward
    Anonymous Coward

    I get calls like that every week

    I used to report them, but it is a waste of time. I think all the calls come from scam companies in Indian call centres. They come from different bogus numbers every time. I haven't even been in an accident. Now I'm just really rude to them. The calls always start the same with a pleasant sounding woman with an English accent "I understand you've been in an accident that wasn't your fault. Is that right?" This part is just a recording so I just play along with that for a moment or two then get transferred to an Indian call centre. When they ask about the accident I just mirror their call: "Hello, good evening, I understand you like to receive anal sex, is that right?" For some reason they tend to hang up then.

  11. Anonymous Coward
    Anonymous Coward

    We take our responsibility for protecting personal data extremely seriously

    like fuck you do

    1. Anonymous Coward
      Anonymous Coward

      Re: ..but stick our heads in the sand if theres a hint of a problem

      As an anonymous phone-jockey at the RAC at the time, I know RAC had a spike in complaints from their customers about these kind of calls, specifically from situations where RAC (or it's contractors) had picked up the car in an accident. Third parties were blamed, and the customers dismissed as imagining any connection to the RAC.

  12. AlanSh

    Me too

    I had an accident 4 years ago that really wasn't my fault (lady ran into the back of my new car). I get one call about every 3 weeks asking the same question. I have no idea how to stop this, so now I just ask "which one - I've had so many".

    Alan

    1. Alan Ferris

      Re: Me too

      Three strategies:

      1) But it was my fault

      2) OK, let's just go through security, can I have your mother's maiden name?

      3) Does your mother know that you're involved in scams?

  13. Alan Ferris

    3 strategies

    1) But it was my fault.

    2) Can we just go through security, what's your mother's maiden name?

    3) Does your mother know that you're involved in this sort of work?

    I never get a follow-up call

  14. Tony W

    Never free of these

    My car was twice damaged while parked and unoccupied. So for the last 7 years I have received about a call a week inviting me to claim for whiplash injury. Suspect garage that did repairs but how can I prove it? Got fed up with making up clever answers, now I just end the call. Certainly not a victimless crime, fake whiplash claims cost British motorists millions in higher premiums.

    1. Robert D Bank

      Re: Never free of these

      Similar...between this Insurance bollocks and the 'Microsoft Department' saying I've been hacked, and my ISP saying my router has been compromised and will be cut off. So at least 3 calls a week, plus some other random ones at least 2-3 times a month. If I could get hold of these arseholes I would force them to eat fox shit for a month.

  15. steamnut

    Just unlucky?

    Her "crime" may have gone unnoticed if she had had the sense to use an alternative email service than Outlook.

    Back in the day she might have gotten away with this after responding to the IT departments' request: "Your Outlook mailboxes are full and should be purged ASAP"...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon