In November 2018, a motor industry worker, Mustafa Kasim, was given a six-month prison sentence for accessing motorists' personal data on his employer's computer system without authorisation and selling it to rogue telemarketers. The case was brought by the Information Commissioner's Office (ICO), which usually prosecutes cases like this under the Data Protection Act 1998 or, more recently, the Data Protection Act 2018. However, this case was brought under the Computer Misuse Act 1990, which includes the potential penalty of a prison sentence, in order to reflect the nature and extent of the offending. Mr Kasim was the first person to be imprisoned as a result of an ICO prosecution.
Whilst working for accident repair firm Nationwide Accident Repair Services (NARS), Mr Kasim had accessed thousands of customer records, using a colleague's login details to access a software system that estimates the cost of vehicle repairs. The records contained customers' names, phone numbers, and vehicle and accident information. After he started a new job at another car repair organisation that used the same system, he continued to access customers' private data.
After NARS noticed an increase in customer complaints about nuisance calls, it contacted the ICO and assisted with the ensuing investigation.
On 15 July 2019, confiscation proceedings under the Proceeds of Crime Act 2002 resulted in the judge hearing the case finding that Mr Kasim had benefited to the tune of thousands of pounds as a result of the offences and ordering him to pay a confiscation order of £25,500. He has three months to comply with the order or he could face a further 12-month prison sentence. He was also ordered to pay £8,000 in costs.
Mike Shaw, Group Manager Enforcement at the ICO, said, "Our investigations found that Mr Kasim had benefited financially from his illegal activity. As a result of his activities, people whose data had been stolen received cold calls and his former employer faced huge remedial costs.
"Personal data obtained in this way can be a valuable commodity and selling it may seem like an easy way to make money but the penalties can be severe. The outcome of this case should serve as a deterrent to others."
Criminal prosecution penalties are set by the courts, not by the ICO. The maximum penalty for criminal offences under both the Data Protection Act 1998 and the Data Protection Act 2018 is an unlimited fine.