Data Theft – T-Mobile 1st Conviction

A former T-Mobile employee has admitted his role in the illegal sale of massive volumes of customer data to marketers.

David Turley, of Birmingham, 39, pleaded guilty to 18 charges under section 55 of the Data Protection Act at Chester Crown Court Un July 2010. A second former T-Mobile employee, Darren Hames, of Staffordshire, 38, will enter his pleas in relation to his alleged role in the theft on 23 November 2010

The illegal sale of millions of subscriber records was revealed by the Information Commissioner Christopher Graham last November, as part of a campaign for tougher sentences for data thieves.

The T-Mobile data was used to cold call and poach subscribers who were coming to the end of their contracts.

The Register

Data Theft – T Mobile (Nov 2009)

Personal details of thousands of mobile phone customers have been stolen and sold to rival firms in the biggest data breach of its kind, the government’s privacy watchdog said today.

An employee of phone operator T-Mobile sold the customer records, including details of when contracts expired. The millions of items of information were sold on for “substantial sums”, the Information Commissioner’s Office (ICO) said. Rival networks and mobile phone retailers then tried to lure away T-Mobile customers by “cold calling”.

Guardian

BBC

Data Theft – T-Mobile 2nd Conviction

Darren Hames aged 38, from Staffordshire, who used to work for T-Mobile UK pleaded guilty at Warrington Crown Court to having sold confidential customer information from the telecom operator to third parties.

Darren Hames was found guilty under Section 55 of the Data Protection Act. Sentancing will not occur until the New Year (2011). The first man convicted in relation to this incident was David Turley, of Birmingham, 39,

The ICO statement on Hames

How to Hack an Oyster Card

There are many reasons to want to know where somebody has been on the Tube

• Do you want to find out where your girlfriend/boyfriend has been on the tube?
• Are you concerned that your boss is traveling around London, looking to replace you?
• Are you just a regular stalker/paparazzi who wants to follow somebody around?
• Are you a private investigator who wants to know where your perp has gone on the tube?

Whatever the reason the following guide, of just five simple steps, will show you how to access the travel details of a person’s recent underground journeys:

1. Obtain the relevant Oyster Card
2. Take the card to the nearest London Underground Station
3. Walk up to a counter, hand the card over and state “Excuse me mate, but I am not sure my balance is right on this, I think I didn’t swipe out recently, can you check it for me“
4. The TFL staff will then print out a list of the last couple of weeks journeys and hand them to you
5. Leave the station with the card, the paper, nefarious mind set and a  maniacal laugh

Joking aside, this actually works.

Which is slightly concerning because people can so easily access other peoples travel details. While this may not bother many people, as they will simply say that there journey to work and home again, is their standard commuter route, and so of no interest. Others may think differently.

Firstly, private investigations firms do still use illicit methods to obtain data, the recent telephone bugging scandals involving journalists, is nothing new, its that is only just come to light. A few years ago, several well known companies were involved in a case that showed that information was obtain illegally, via data theft.

High networth individuals, especially if they are going through a divorce or possibly a major deal, can attract the attention of investigation firms. There have been occasions when these individuals have had the routes monitored, their phones and computers hacked into, and other such activity.

People who are involved in protests , for anything from animal rights activists to the anti-war lobby, are likely to be monitored and tracked where possible, and this is not all done via the state.  Large corporate who are likely to be disrupted, or targeted, by protests,  sometimes employ private firms to provide their own intelligence briefings, and these firms will go to great lengths to obtain this information for their client.

Interestingly the TFL (Transport For London) who operate the London Underground, have an exemption from the data protection act, which allows MI5 and the police to get near live data from the system, so track people moving around London.

Data Theft and the Legal System

Recently more news has come to light about data theft: More people are implicated, more data has been misused, and the fines seem to be poor. This all raises more questions than it answers.

A few days ago Mathew Single was sentenced for publishing the BNP membership details, which he took from the BNP. i.e. data theft. The ramifications of publishing the data were a series of vigilante acts against the members. Regardless of your views about the BNP they are a legal party, membership of the BNP  is legal, and they have even won an election. However, vigilante acts and data theft are not legal.

Despite this the fine for publishing the data, for breaking the law, was just £200. Even the judge complained about the level of the fine.

In addition to this more and more details of data theft  are gradually leaking out. There have been allegations of Prince William and Prince Harry’s phones being accessed. Also, the previous Head of the Professional Footballers’ Association, Gordon Taylor, had his phone hacked by the News of the World. The News of the World paid £700,000 in damages, following a court case, “but on condition that details of the case were not made public”. How can such a major media outlet go to court, lose, and still manage to keep the details of such an important case secret for so long. The key word in that sentence is probably “major”.

The ICO has recently stated that they have been let down by the press, politicians, and the court systems; in the failure to create strong enough laws, or the courts to enforce the laws they have effectively.

Recently Steve Whittamore, a former police officer, turned private detective turned crook has come back into the news. He worked for a company called JJ limited and during his time there uncovered 17,500 pieces of personal information, for over 400 journalists (from a variety of papers). The data he and his colleagues obtained varied from banking and telephone information to DVLA and PNC records.

In February 2004, Steve Whittamore, and three others were all convicted of the offences they were charged with and received …… a conditional discharge. A conditional discharge, for those not familiar with the legal system means nothing.

It means they went to court, go told they were bad people who had done a very bad thing, and then walked out, without so much as a peak at a prison. To criminals a conditional discharge is about as effective as sending a sex addict to a lap dancing bar. It just encourages them.

So, the laws are all a bit rubbish, the courts are useless, and the CPS could not organise a pissup in a brewery. But who is buying all of the this data (other than journalists).

So, Who buys Stolen Data?

[The article below has been re-published from July 2008 due to the current relevance]

A lot of the market for personal data theft is in the “gray/black” market.

Some companies specialize in the selling of personal information, anything from just the name and address (phone book/electoral role), upto bank details, phone records etc. The reported costs of this data vary from $100 to $500. These companies who sell the data to lawyers and businesses, may not “acquire” the information themselves, rather sub contract it out, keeping the “dirty end” of the business very much at arm’s length.  This means that the person who users the data, apparently legitimately, is removed by at least two steps from the actual “data theft”.

One such example involves Mischon de Reya, a famous UK law firm and Carratou an investigation agency were involved in the purchasing of stolen information.

In this case Mischon wanted find information about Mr Hughes, the former chairman of the now collapsed Allsports. Based on this Mischon instructed Carratou to track down Mr Hughes. Carratou then instructed Sharon and Stephen Anderson, who are independent contractors. Sharon and Stephen then sourced a variety of information about Mr Hughes, including details of his 11 of his bank accounts. They charged around £150 for each piece of financial data. They gained access to this information this through phone calls (impersonating Mr Hughes), false letters, etc, etc.

Once the Anderson’s had “stolen his identify” and got the relevant information, this information was then passed from the Andersons to Carratou then from Carratou to Mischon and then to Mischon’s client. The whole incident only came to light when Mr. Hughes took Carratou to court to find out how they had accessed his bank accounts.

It has since been revealed that Sharon and Stephen Anderson made around £140,000 a year doing this, which equates to nearly 4 pieces of financial information every work day. This means that they are supplying a lot of data to a lot of companies.

Articles in the Guardian and Computer Active and ICO

Other cases of people obtaining and selling data:

Man Convicted of selling personal data

ICO Publishes list of Media Buying Data

So, who buys the stolen data?

The Media (who are always reporting on the data theft), people in the investigation industy, (who are there to protect the public and businesses), and business (who are the victims of hackers and data theft)

Who suffers most? The public.