ICO Launches Investigation Into T-Mobile Data Scandal

The Information Commissioner’s Office (ICO) has launched an investigation into the unlawful trade of personal information, following its discovery that staff at mobile phone company T-Mobile sold thousands of customers’ details to third-party brokers.

The news emerged after T-Mobile alerted the ICO that employees had allegedly sold details relating to customers’ mobile phone contracts, including their contract expiry dates. Competitors were then using the information to cold-call customers as they were reaching the end of their contracts to offer them alternative deals.

“Many people will have wondered why and how they are being contacted by someone they do not know just before their existing phone contract is about to expire,” said the information commissioner Christopher Graham. “We are considering the evidence with a view to prosecuting those responsible and I am keen to go much further and close down the entire unlawful industry in personal data.”

Graham was initially reluctant to name the operator involved, in case it prejudiced a prosecution, but yesterday evening a spokesman for T-Mobile confirmed that the company had “pro-actively” approached the the government’s privacy watchdog after making the discovery.

“T-Mobile takes the protection of customer information seriously,” said the spokesman. “When it became apparent that contract renewal information was being passed on to third parties without our knowledge, we alerted the Information Commissioner’s Office (ICO). Working together, we identified the source of the breach, which led to the ICO conducting an extensive investigation which we believe we will lead to a prosecution.”

According to the ICO, the information has been sold on to several brokers and substantial amounts of money have changed hands. Graham has described the data breach as the biggest of its kind.

The T-Mobile brand suffered more embarrassment earlier this year, when owners of T-Mobile Sidekick in the US were warned that they would “almost certainly” have lost their personal data following a server failure at Microsoft. However, sales of the smartphone resumed yesterday, following a six week period of data restoration which got at least some users’ data back.

In response to the latest scandal, Graham hopes to win support for the government’s proposal to introduce a custodial sentence for breaches of Section 55 of the Data Protection Act from 1 April 2010. Section 55 states that a person must not knowingly or recklessly, without the consent of the data controller, (a) obtain or disclose personal data or the information contained in personal data, or (b) procure the disclosure to another person of the information contained in personal data.

“More and more personal information is being collected and held by government, public authorities and businesses,” said Graham in a statement. “If public trust and confidence in the proper handling of personal information , whether by government or others, is to be maintained effective sanctions are essential … A custodial sentence will also have the added benefit of making the Section 55 offence a recordable one and open up the possibility of extradition in appropriate cases.”

The ICO is backing up its case for introducing jail sentences with a separate case, in which forged identity documents were used to gain access to 41 people’s credit files, as ell as several other cases which highlight the need for tougher sanctions to deter the trade in personal data.

Some concern has been expressed in the past that heavy penalties for misuse of data could be detrimental to investigative journalism. However, the ICO stresses that the defence available to journalists would be strengthened under the proposal.