Mark Bridge writes:
The Information Commissioner’s Office - the UK authority that upholds information rights - has published details of its recent case involving T-Mobile. Contact information and expiry dates for minimum-term contracts were being sold to third parties, enabling mobile phone dealers to target potential customers who were in a position to sign a new contract... which could earn the dealer hundreds of pounds for a new connection.
This story begins back in early 2008, when a T-Mobile customer service manager was dealing with a complaint. To avoid the customer receiving any bills while the complaint was being dealt with, the manager temporarily changed the customer’s account address to his own office address.
In September 2008, the manager received a marketing letter from a mobile phone dealer. The letter contained details that could only have come from T-Mobile’s customer database - and this information had never officially been given to any other company. It appeared that T-Mobile customer information was being stolen. T-Mobile contacted the ICO with an official complaint in December 2008, which resulted in the launch of a criminal investigation.
The ICO’s investigators started by visiting Chitter Chatter and Fone House, the companies that had sent the letter. They’d bought the customer information from data list brokers, which are businesses that specialise in providing information about potential customers.
Legitimately-purchased customer information appeared to have been mixed with stolen T-Mobile customer data. After identifying two list brokers that had possibly obtained T-Mobile data, the ICO served them with ‘demand for access’ notices.
Open Source Research, one of the brokers, said it had used a website called Afiliates4U to obtain data. The ICO’s team noticed that one of the Afiliates4U users was offering T-Mobile data that was said to be unavailable from any other source. He was also an employee of a data list broker they’d previously been looking at.
Two search warrants were obtained. One was to enter the home of the person who’d advertised on the Afiliates4U website, the other was his employer’s premises.
Both warrants were executed in April 2009 by Kent police. The individual turned out to have been exaggerating his abilities; he simply bought other people’s data. The business was also an innocent purchaser buying data in good faith; it identified its only source for T-Mobile data as Peter Sharp of Rochdale-based Up Front Data Limited.
Two more search warrants were obtained; one for the business premises of Mr Sharp and one for his home address. Mr Sharp’s laptop showed that he’d been trading in T-Mobile data; he identified his source as David Turley of Direct Mobile UK Limited.
Mr Turley was a former sales manager for T-Mobile. Records showed that he traded from his home in Birmingham, so a search warrant was obtained for this address. The property turned out to be let to someone else, although Mr Turley then contacted the investigators and agreed to be interviewed.
On 1st September 2009, David Turley admitted buying T-Mobile contract data from a T-Mobile sales manager called Darren Hames. He said Mr Hames would meet him once a month with a memory stick containing customer data. It appears that Mr Hames was paid from £2,000 to £5,000 per meeting.
Darren Hames was interviewed the following day and admitted his part in the offence.
In court last July, the prosecution claimed that Mr Turley approached Mr Hames about obtaining the data. It says he made around £60,000 per year from selling this data. He’s since been ordered to pay £45,000 confiscation costs (under the Proceeds of Crime Act 2002) and given a three year conditional discharge.
In November, Mr Hames was accused of obtaining over half a million customer records and selling batches of 20-30,000 records at a time. He admitted that Mr Turley paid him around £30,000 in total for this data. He has been ordered to pay £28,700 confiscation costs, £500 towards prosecution costs and has been given an 18 month conditional discharge.
Full details about how Darren Hames obtained the data haven’t been disclosed by the ICO; it says this information would potentially be damaging to both T-Mobile and other mobile phone service providers.