Former car rental biz staff gave customers' details to phone pests Former staffers at a Cardiff-based car rental company have been sentenced for conspiring to steal customer information to sell to ambulance chasers. The three data thieves were employees of Enterprise-Rent-A-Car sold the details of tens of thousands of the company's customers and sold them on for hundreds of thousands of …
Where does insecure systems come into play here when you are the person that was given that information in the first place before you enter that into the company's car hire system?
The last time I had someone run into me, my insurance company called a local office of a big name hire car company, explaining the case, then tells me to call them to confirm when I can pick up, so they would have had the details from the insurance company who would explain that they are picking up the tab as it's a replacement vehicle, and they would have my direct details too, all noted down by the reception agent, and all done over the phone.
Enterprise gets paid 400 000 because employees who get contacted by insurance companies recovery service team to arrange for replacement hire cars for their customers also noted down the customer details seperately, probably on a post-it, to be sold on, abusing the trust placed in them by the company, by the insurance companies that partnered with them, and the end users who needed a replacement car, and also probably violating a series of company procedures to boot...
Anon due to my job manipulating with personal customer data!
"Where does insecure systems come into play here when you are the person that was given that information in the first place before you enter that into the company's car hire system? [...] also noted down the customer details separately, probably on a post-it, to be sold on, " --- AC
"Details of tens of thousands of the company's customers and sold them on for hundreds of thousands of pounds" ---TFA
Seems unlikely to me that the mechanism for selling that quantity of records is Post-Its; a pound to a penny we're talking USB sticks or other portable media and taking details in bulk from "databases" (which may be nothing more than spreadsheets) rather than filching them one at a time.
Did ICO/Plod go after these criminals ? These are the very same who provide a market for the calls that we all get ''concerning the accident that you had recently''. Hit them hard with a big stick please, make the directors personally responsible for every penny of fines and do us all a big favour.
I wonder if there has ever been a case of a cold calling company being offered this sort of data, where it's blindingly obvious it's not sanctioned by the source company and therefore obviously illegal, who came forward and blew the whistle on the sellers. I'm willing to bet that the answer is "never".
Why did Enterprise get the £400k?
Good question.
When I first read it, prior to reaching that bit, I was thinking the perpetrators sold the details "for hundreds of thousands of pounds" and then received fines of £7,500, £3,000 and £1,200 - therefore suggesting [some] crime does indeed pay.
Then I saw the £400,000 and thought, oh, okay, fair enough.
I initially thought that perhaps prior to any of this ending up in the hands of the law, customers affected by this established for themselves that the ambulance chasers got their contact details from Enterprise's records - so the £400,000 was compensation for damage to their reputation or something like that. (Not that I know what their reputation is like to begin with - I've seen one or two of their adverts, and they're annoying, but that's it.)
However, I then put two and two together, and I may or may not be coming up with five. The perpetrators sold the details sold the details "for hundreds of thousands of pounds" and £400,000 is indeed hundreds of thousands of pounds. I'm therefore now wondering if Enterprise got from them something in the region of the amount they got from the ambulance chasers - i.e. it was data from Enterprise's records so have they, in effect, successfully got the proceeds of the sale of the data?
"Opportunity cost of of being told to "no thanks, we have it already" when they tried to sell the data themselves?"
If the company figured out "we could have sold this data for £400,000, but we would never have done that, because of the damage to our reputation if it is found out", and three employees _did_ sell the data for £400,000, then yes, that's £400,000 of damage to the company, plus the difference between (damage to the reputation) and £400,000.
now I get all manner of junk mail for Dr myname
Write "not known at this address" and put in a postbox - marketing dweebs will kill a mailing identity pretty quickly if they think it is invalid. But for a bit of fun, why not log into your Travis Perkins account, and change your address to their Northampton head office?
Err, write deceased on it, makes it clear they have a cold lead and it WILL get you removed...does it successfully for years.
Oh and for cold calls about accidents tell them you killed someone and are gratefuk someone finally believes it's not your fault...then mention seeing body parts strewn about...they won't call again.
Alternatively say the person they are asking for died this morning and state you are investivating this unexplained death and want to know their relationship to the deceased...they'll usually tell you the company behind the calls and where they got your number.
"Shouldn't it also be illegal to buy or obtain "stolen" information"
You mean like the UK and US government spooks, who simply steal it rather than profit financially from it.
Or Google/Facebook etc, who take your usage of their systems as implied consent in order to profit from Advertising revenues
Presently it is not. It will shortly be.
This is the only way the government(s) can get to the likes of Assange as there is no criminal offense for which they can nail them today.
So it is not a matter of if handling stolen data will be handled like fencing stolen goods. It is a matter of when will this happen.
Just how much is it worth?
Thinking about it they'd need quite a lot of return as a business to think £400k on data is worthwhile. Even if the data source is an extremely rich one, the conversion rate via cold calling leading onto a sale (i.e. claim) would need to be very high to leave enough after costs to warrant such a spend.
And yes, I appreciate No Win No Fee is big business but £400,000 still seems on the high side for purchasing the knock off data
It's worth a lot, because it's specifically details of someone who has had an accident in the last few days (if they've got to the point that a hire car is being delivered)
This is not random cold calling, "Oh hello I'm calling about the accident you've had". This enables the tossers buying the data to be a little more "Oh, hello Mr Jones. Just a followup call about your accident on the 3rd July, we've been instructed to conduct an interview as your car ABC123 was so badly damaged we need to check a few facts to get the compensation going". It's a little more believable.
Once they've got their foot in as "solicitors" (I'm sure they're called that legally, if not ethically) then there's a huge amount of cash to be had. Firstly, they'll tell the "client" to send their Enterprise car back, as they can arrange a better one (You don't have to accept the insurance's hire car offer, you can arrange it yourself and charge it to the third party's insurance). This will be for £200+ a day rather than the basic Enterprise rate. Naturally the solicitors are paying a nice cheap rate, but the value on paper to the third party is £huge.
Then they'll start claiming on your behalf for costs - loss of earnings, loss of "enjoyment of personal time" (i.e. you hurt your little finger so couldn't play golf), loss of contents of car, stress etc. All this gets charged to the third party by the solicitors, and you'll get it minus a cut..... OR it gets charged to you in the event it turns out you were to blame. They don't care, they don't ask questions, they send the bill anyway. You can try and deflect it to your own insurers but they'll likely tell you to jog on, since you didn't use their own legal protection and hire car.
Essentially, if you've had a crash, you're worth a LOT of money. 30 days to resolve a claim at £200 a day car hire plus a cut of personal injury? That's worth more than 50p for a phone number.
This post has been deleted by its author
This post has been deleted by its author
"I guess there's loads of places they could get mobile numbers from though."
Given the "take up" of mobile phones, over the last 10+ years, it's fairly easy to set up an auto-dialler to work through a range of numbers all starting 07...as so many have been issued, there's a good chance of them being successful and hence any numbers that are "live" will give a connection (even if it's just voicemail), while "inactive" numbers won't connect.
So, the issue of "cold-calling" is just down to the probability of the number being "active", as it is with landline numbers.
But the scammers have moved on now and want more than just phone numbers - so a name or part of an address is more useful to them :-(
1. Enterprise because they were charged with the protection of the data but (allowed/ conspired with) staff to resell
2. Data purchasers, who held data without consent and/or if outside UK parties 1/3 guilty of illegal data export/ espionage (hanging too good)
3. Enterprise employees who sold data "totally" without Enterprise's knowledge.
Data protection is so broken no one can say it is anything other than an excuse to implement the ideas in the Orwellian research project code name 1984
It explains where the scammers got some of their data from - and in one call where I decided to play with them to waste some time, it became clear that they have direct access into the DVLA's live database too.
What I don't understand is why the ICO seems unconcerned about this aspect of the scam operation.
But can the government impound all the computers of the companies that bought that data, and erase every copy of the illegal data, to ensure the affected individuals will never receive an annoying call like this again?
If the law doesn't provide for something like this, victims of this sort of crime can't get proper restitution.
I rented a van from Enterprise and on collection I was asked to give a second phone number of someone they could contact in case of an emergency.
I said no, on the basis that I am an orphan so they would need Derek Accorah to contact my parents and that as my partner wasnt present I didnt have her consent to give her number. They insisted on a second number and so they got the broadband line which has no handset attached to it.
I explained to them that asking people for other peoples numbers was a dubious practice given the use of it for telemarketing spam and then today I read this article.
The best part was apparently this 2nd number was "enforced on the system" which was bollocks as I had rented a car 2 weeks prior and also have an enterprise account neither of which has never asked for a second number.
Got to wonder if the staff in my local branch of Enterprise aren't doing a little light data skimming?
"Got to wonder if the staff in my local branch of Enterprise aren't doing a little light data skimming?"
Notify the ICO.
My experience of these kinds of scams is that it's seldom confined to one or two branches. The gangs will systematically attempt to subvert staff at as many locations as they can.
Currently my car hire firm of choice (for infrequent hires).
Purely because their pricing model is dirt cheap rental and expensive insurance for the excess.
If you buy an annual third party policy (probably around £50) to cover the insurance excess you are quids in after a few days rental.
Caveat - just tried to check prices (slow web site) and a hire seems to be around £40 per day. So perhaps they have changed their pricing model. Could go as low as £14 a day a while back.
In this case, the miscreants should get random calls over 6 month from ambulance chasers after 5pm which they must answer and spend at least 2 minutes on said call. Failure to do so (or answer the call) = 1/2 day in jail per call when the 6 months is up.
If that does not give them an insight into people's desire for privacy then nothing will.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
