+Comment A UK car industry worker who abused his customer database access to send data to telephone scammers has been sentenced to six months in prison.
Mustafa Ahmet Kasim, of Rayleigh Road, Palmers Green, London N13, pleaded guilty to one charge under the Computer Misuse Act 1990 of causing a computer to perform a function with intent to secure or enable unauthorised access to personal data. He was sentenced yesterday at Wood Green Crown Court in northeast London.
As an employee of National Accident Repair Services (NARS), Kasim had access to that company's repair cost estimation software suite, which is called Audatex. Using his colleagues' login details, Kasim was able to get his hands on records containing "customers' names, phone numbers, vehicle and accident information," in the words of the Information Commissioner's Office (ICO).
When he moved to a different company that also used Audatex, Kasim carried on slurping customer details. NARS became suspicious when its customers began complaining of an increase in nuisance phone calls and reported the matter to the ICO.
The 36-year-old pleaded guilty in September at Highbury Corner Magistrates' Court. Unusually, the ICO chose to charge him under the Computer Misuse Act, which is the law normally used to prosecute accused hackers.
Commenting on the verdict, Mike Shaw, the ICO's head of criminal investigations, said: "People who think it's worth their while to obtain and disclose personal data without permission should think again. Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature and extent of the criminal behaviour."
Both NARS and Audatex's makers were said to have made changes to reduce the probability of such a thing happening again. Confiscation proceedings against Kasim under the Proceeds of Crime Act, aimed at clawing back the money he made from selling the ill-gotten data, are said to be ongoing.
The ICO's use of the Computer Misuse Act to prosecute here means Kasim now has a criminal record and a prison sentence to his name – even if, as is routine, he will serve a maximum of half that time behind bars.
The penalties available to the ICO in the Data Protection Act 2018 do not include prison sentences. Using the Computer Misuse Act to prosecute a data theft is another example of the way in which UK's data cops are getting creative with the law. ®