A company director has been fined after illegally accessing one of Everything Everywhere’s (EE) customer databases.
Matthew Devlin, 25, from Halifax, Yorkshire, used details of when customers were due a mobile phone upgrade to target them with services offered by his own telecoms companies. He had impersonated a member of EE’s security team during calls and emails to the phone company, in an attempt to obtain passwords and login details to their customer database. He succeeded on one occasion, and was able to access the records of 1,066 customers.
Devlin, a director of three marketing and telecoms companies, appeared before Calderdale Magistrates’ Court on 11 November. He was fined £500, plus £438.63 costs and an £50 victim surcharge.
ICO Head of Enforcement Stephen Eckersley said:
‘Personal data is a valuable commodity. Devlin lied and manipulated to access this information for his own profit and now he’s facing a fine and a criminal conviction. EE swiftly alerted us to this breach and their security procedures allowed the ICO to identify Devlin as the perpetrator.’
Christopher Graham, Information Commissioner, said:
‘Fines like this are no deterrent. Our personal details are worth serious money to rogue operators. If we don’t want people to steal our personal details or buy and sell them as they like, then we need to show them how serious we are taking this. And that means the prospect of prison for the most serious cases.’
Laurence Eastham writes:
Yet another conviction is followed by complaints from the ICO that the offence has insufficient punishment. On the facts as set out by the ICO press release, this is fraud under the Fraud Act 2006, s 2, and could have been prosecuted as such. Can the ICO explain why they refuse to take the option of seeking conviction for an imprisonable offence? That would provide the deterrent that they say they want. I appreciate that they need to press the CPS to take action and that, to that extent, the matter is out of their hands but I note that there is nothing to indicate that they asked the CPS to act.
There is another serious point to weigh here. While the duty of a prosecutor is not to act as the avenging angel but, in the well worn phrase, to act as the ‘minister of justice’, that duty includes giving courts the option of having an appropriate sentence available by charging in a way that properly reflects the criminality involved. It is not reasonable to charge a lesser offence and then complain that the punishment did not fit the level of criminality when a more serious offence was available to be charged.
My initial reaction to yet another set of ICO complaints about the level of fine was to wonder why they persist in undercharging in this way. Is it because they want to have these cases as a back-up for their continuing demand for the Criminal Justice and Immigration Act 2008, s 77 to be implemented, under which offences under the DPA, s 55 will be made imprisonable? That would clearly be an improper reason for ruling out more serious charges.