T-Mobile has admitted it was the operator whose staff sold customer data to competitors, but can't understand why the Information Commissioner decided to share the information. Staff at the network operator had developed a sideline selling customer records to brokers who then called up the customers to offer alternative …
"...it's clear that the ICO has manipulated this case into a cause celebre with impact far beyond its real importance."
Maybe, but then we go back to those arseholes who were wont to phone up from <insert phone company here> Upgrade Service, conveniently separate from <phone company>. People who aren't entirely on the ball (which nearly included me) could easily be taken in by a weaker contract and poor quality phone, if they thought it came from the network.
In my case, the fact that they were pretending to phone up from Orange when I left them years before was kind of a giveaway.
What other data, and wose data?
As I'm a long-time customer of T-Mo, I am quite concerned about this. I have to wonder whether this was purely limited to end of contract details as the people involved were dishonest scumbags who couldn't care a jot for the privacy of their employer's customers. I'm sure more complete personal and credit information would have netted them much more dough than just my phone number and contract end date.
While I have no complaints at all of T-Mo's handling of this as they were following direction from the ICO, I hope that they are now planning on full disclosure to the people affected and notification to each customer as to whether their data was likely exposed or not.
Conspiracy theory alert.....
Wonder if it was Orange paying for the info to pass to dealers/reps to get a better deal on the merger?
Mines the flame retardant jacket with the official secrets folder in the pocket, and the bag with the stolen government laptop is mine as well.....
I would argue..
>impact far beyond its real importance
That allowing this selling of customers details can't just be let go with a shrug of the shoulders.
Any release of personal information can potentially be used by others to pretend they are you, or to contact you and show that they must be an authorised person (since how else could they know this info?) thereby increasing the chances of successful social engineering.
What's the point of me shredding all the envelopes and pre-filled in forms that I get sent, only for my mobile phone provider (in this instance) from selling that same info on?
It's not even as though they are giving me a discount on the phone or contract because of the additional income they will be getting from their unauthorised use of my data.
Keep your details to yourself...
...in the first place. I get pre-pay phones off ebay, or pay by paypal if from a dealer. No contract, no registration, no details handed over. Top up vouchers paid in cash. I do sometimes get calls from the previous owner's chums.
£2 a pop
I've seen B2B leads for expiring mobile phone contracts trade for £2 a pop, consumers usually less so. You can bet that it's not just T-Mobile having their data ripped off, they perhaps should deserve some credit for dealing with one of the mobile phone industry's dirtiest little secrets.
so, is this a breach of contract between myself and T-mobile and grounds for canceling a contract?
Cold callers and a cold night in Hell
They can leave me off their list, my number is TPS registered and it would be a cold night in Hell before I would buy anything from a cold caller. I guess I could go along with them for long enough to get a company name for the TPS complaint before admitting that though.
I'm on T-Mobile
I'm on T-Mobile and I while back I had a real problem with a company calling up and claiming to be T-Mobile, but it was obvious that they were not.
They said that my contract was up for renewal and so I could have a new phone (my contract was far from its renewal date).
I simply asked them to prove they were T-Mobile by telling me the model of my phone. They told me they didn't have that information. I said that they supplied the phone to me so they must know. They said that they don't keep a record of what phone I buy. "So", I said, "why do I see details about my phone when I log into the T-Mobile website?". Their answer: "Do you want a new phone or what?"
After about 10 calls in the same week from the same bunch I simply started yelling "F**k off!" and putting the phone down. They soon stopped.
1. Your sensationalist headline gives the impression that T-Mobile is itself responsible for the data being sold on, when the story states that the cause would appear to be a loose cannon within the company.
2. The same headline also implies that T-Mobile are somehow being flippant with regard to customer privacy, when in fact their willingness to investigate and co-operate indicates the opposite.
3. I disagree that this has become a cause celebre far beyond it's own importance. Ok, so the data isn't as intrusive as some other examples, but so what? Companies need to start taking this stuff seriously, and rightly so.
Poor reporting indeed.
Disclosure: I don't work for T-Mobile, am not a customer of theirs or have any links of any sort with the company.
My details aren't in a phone book and I object to my information being sold. You may find it innocent enough but those same people would also have access to address and bank details.
The reason why cases like this get splashed everywhere is probably this: the press officers for such organisations are assessed/bonused on the amount of coverage, not its quality/meaningfulness.
"Employer catches employees misusing data and takes proper steps to stop it" doesn't drive column inches. Whereas the meaningless term "Data Theft" will garner attention, which can be cited when the press officer is negotiating this quarter's bonus.
No remark about all the things t-mobile should have done to prevent the leak in the first place Bill? That's not like you :p
I think you're right though, the ICO brought this out to further their cause politically. So are they not so keen on prosecuting the miscreants now? Or was that just a line to shut T-Mobile up so their politicking could have maximum effect?
"denials out of all the other operators"
Hmm. The last time my (not T-mobile) contract was about to expire, I got phone calls trying to poach me.
Don't they all do it?
Ok, i get that it's irrelevant WHAT details they steal, there needs to be an example made to discourage it in future, but let's remember that EVERYONE gets phone calls from third parties around contract renewal time, no matter what network they're on. I usually get a solid month of calls the month after i renew mine. So either the network itself is selling the details, or the staff are doing it.
Also, here's a hint. When you say no to these companies they often just sell your details onto another company, it's standard practice, if you claim to be 15 years old they just scrub your details 90% of the time, it usually works pretty well for me!
Not that trivial!
"Customer details are in the phone book, and most people will tell you their contract renewal date if you call them up and ask (as cold callers are wont to do)."
Jeez, this might not be a hanging offence but Bill you really are going in the wrong direction with this one. The Register normally takes a decent enough stance on data theft and the need for a greater powers for the ICO.
Which phone book contains customer details? Do you mean the BT one that is now approaching the size of a magazine (if you take out the business listings) as there are hardly any customers who wish to be included in it as they don't want random marketing calls?
How on earth do you feel justified in writing the comment that people will give up their contract renewal date if asked by a cold caller? Where are your sources to back that up? The only empirical evidence I presume you have is that you, yourself, are willing to divulge that information when asked?
The cold callers in this case can use this information to deceive people into thinking they are calling from T-mobile. For example "Hello Mr Johnston, as you are a valuable customer I wish to offer you a great deal on the renewal of your contract next month..."
This goes beyond the irritation of just receiving unsolicited calls.
The other point is that the money that the staff were suposed to be making from these sales is far greater than the maximum fine of £5000 and so there is no disincentive to doing this.
It will still be up to a court to decide the penalty but I can see some cases where a jail term would be warranted and certainly maximum fines that would allow recovery of all money made and more.
Are you really happy that any of your information could be available for sale to anyone else with little repercussions? Credit applications, bank details, shop purchases, travel plans...Really?
Not just T-mobile insiders selling to other providers.
I have under two months left on my T-mobile contract and T-mobile have a very clear "do not sell my details or pass them on without my permission" notification from me. Last week, I had 5 companies call me, all starting with a variation of "Hi, this is T-mobile, your contract is due for renewal", when pressed, they admit they're resellers who've bought my data from T-mobile.
T-mobile deny selling my data when I challenge them, even though the reseller says they got it from T-mobile and there's not too many other ways they could get my name, phone number, address, renewal date, phone type, etc.
...the ICO didn't splash the story. They said it was a UK mobile phone operator and T-mobile decided to fess up. They could have kept schtum.
I think however the issue goes deeper than most of the media version of the story would have us believe.
T-Mobile admit some of their staff were doing this, but how did it all start? Somebody must have put the staff in touch with the brokers.
The press are making much of the T-mobile staff being prosecuted. What about the brokers? If you want to stop the sale of data the punishments for buying need to be at least as harsh as those for selling.
Who were these brokers working for? Is their any evidence their employers had any knowledge of what was going on? More potential for prosecutions?
The other major operators were very quick to deny any involvement, but these brokers were selling contracts with their networks. How much investigation has been carried out to see if there was a more formal link? Have the other operators been investigated to see if it was only T-Mobile staff that were involved? I'm having a hard time believing it was that isolated.
T-Mobile couldn't have handled it better?
Fair enough, but it would appear T-Mobile had such a lax set of systems and procedures in place that they allowed the information to be taken out of the company so easily.
They are certainly far from blameless in all this. If the people at the top knew that data breaches such as this meant their ass would be slung in jail, do you think they would be so blasé about data security?
@AC - 11:32 - being a bit disingenuous...
"...the ICO didn't splash the story. They said it was a UK mobile phone operator and T-mobile decided to fess up. They could have kept schtum."
Oh, come on. You phone Orange, O2, Virgin, T-Mobile, Vodafone and one or two others, and say "Are you working with the ICO on a data theft case?" All bar T-Mobile say "No"; T-mobile refuse to comment. It doesn't take Sherlock Holmes to make the obvious deduction - and then they have to come clean.
So technically, no, the ICO didn't splash the story. But they must have known the information would get out.
@AC @ 11:32 GMT
Admittedly the ICO didn't directly identify T-Mo, their publishing of the story directly lead to T-Mo having to 'fess up.
We have five mobile carriers of any significance. The other four flatly denied that the story had anything to do with them. Journalists can easily put two & two together .
T-Mo had two choices, either deny the story and face lots of accusatory stories about them doing so for months and then be completely roasted several months down the line when things go to court.. Or they could admit it now.
If T-Mo are going to have any shred of believability when they claim that it had not condoned the leak they had only one choice.
The ICO need to be careful that they dont make companies fearful of telling them about such incidents in future. If they feel that they are going to be splashed all over the front pages, as well as having to conduct all the usual audits and bureaucracy each time there's a problem then its going to make firms reluctant to let the ICO know.
We're gonna need a bigger jail...
Not sure if I support sending anonymous T-Mobile goons to clink for doing what (judging by the comments above) everybody seems to be doing in the industry. Fines, both at the individual and corporate level, seem reasonable though.
Like others above, I find the tone of this piece a bit off-message for the Reg, where consumer-data privacy breaches of similar or even smaller scale usually get pretty short shrift and the ICO is usually bemoaned for its lack of balls (well okay, lack of empowerment really).
I don't like this behaviour one bit personally, and if I found myself subjected to it I'd be doing all I could to get someone punished/fired/fined for it. Am I petty, or is it just OK because everyone's doing it?
this isnt new
When i was with them years ago, i had calls "on behalf of tmobile" to offer me some dodgy contract.
i found it great fun to get them to explain every single part of the contract, the phone, the price plan, the payments etc etc for a good 25 minutes (usually while doing something equally inane like playing WoW) then saying "actually...nah sounds shit, bye" then hanging up.
they gave up after the 3rd time i wasted their operaters time. bellends
I heard this story last night on the radio and assumed it was O2. Have nearly always received a sudden influx in cold calls from non-O2 people, trying to get me to upgrade. However - it could well be that O2 outsource their (what I imagine is called) "proactive retention team" to A.N. Other company. I've never stuck with the call for long enough before yelling F.O.
A calm response I've started taking though, is declining to talk to any company other than X about my account with X and gently hanging up. I also like the new idea suggested by a commentard recently of "I'm sorry, I don't have a phone" and hanging up. My other favourite is "give me a minute while i find a pen for the details" and place them on hold until they give up and have an unnecessary phone bill.
I suspect the ICO released the details pour encourager les autres
Judging by the comments here and elsewhere, it's not just T-Mobile customers who've been cold-called by the switch-merchants: I'm with Orange and have received many calls from a Liverpool number asking me when my contract is due for renewal (asking why they don't know this already if they're calling from Orange and why they aren't calling from an 07973 number always elicits a hasty disconnection from the other end).
T-Mobile's bad apples have been caught out here, but I'll wager the practice is widespread throughout the industry: the more publicity there is around this case, the more people will pay attention to unsolicited calls and the fewer will get scammed.
So thats where they come from...
I started a new contract with T-Mobile about 2 months ago. Previously I'd been on O2, and in 5-6 years I'd never had a single cold call. Within a week of moving, I was getting cold calls from one particular number offering me an 'upgrade'.
At least now I know how they got my details.
I'm a long time T-Mobile customer...
And this is a cold call I received not so long ago...
"Hello there Mr AC. This is T-Mobile and we've noticed that your contract is up for renewal soon. Would you be insterested in blah blah...?"
"Er... I don't think so love, I'm on Pay As You Go. Nice try though!"
It's the usual "Let's fear-monger this totally out of proportion so that we can get our ulterior motive policies through easier" processes at work.
Blame the staff, why not?
Four years with Tmo, including two 18 month contracts. At the end of each I got a ream of persistent calls from third party companies, some claiming to be tmobile trying to flog me a new contract. I moaned at TM each time, getting the usual bland fob-off from the Philippines, and an ongoing assurance that I WAS opted out of marketing info.
Took a contract out with Orange and called TM a few days later to cancel the account - guess what? A mere 3 days before, someone - they claimed it was me - had renewed my contract. It was duly cancelled, and the TM bloke muttered something implausible about a third party agent renewing it to collect commission. In which case why on earth would they think it was me who renewed.
The only defence for TM is that Three were infinitely worse - a call 4 times a day at one point pimping insurance.
Unsolicited callers (which is anyone trying to sell me something) of any description get very, very short shrift from me. The only communication they get from me (before they get a word in) is "Just one second till I grab a pen..." Followed by snoring if I've been working nights, or silence the rest of the time. Surprisingly, the novices do give it a minute or so.
Until they start jailing the staff running the sidelines, and fining the companies (more likely) who pimp the details something more that 200 percent of the profit made on each infraction, plus 10 percent of turnover for each year they're caught, this will roll and roll. Theft is theft, and I couldn't really care less how disproportionate the punishment actually is.
Thieves, liars, cheats. And that's just the employers.
Dealing in stolen property
I thought dealing in stolen property was a criminal offence already.
I thought it already had prison as a possible sentence.
When can we expect someone to be locked up for dealing in stolen cellphone account records?
As has widely been pointed out, fines don't work in cases like this or in corporate cases of any kind. In a corporate case, the fine just gets passed on to the customers and the managers/directors effectively go unpunished. If the laws were enforced in such a way that there might actually be an effective punishment, people in authority might behave slightly differently.
Where do the MVNOs fit in this picture? Are their records at risk too if they're piggybacking on T-Mobile? (e.g. Asda????).
Not likely, they are still basically civil servants, so it'll be when a red hot ugly fella starts skating to work that you can use 'bonus' in the same sentence.
Had this been in an Indian Datacentre
.. we'd seen much more hue and cry.. many more comments.
I don't think it's so trivial. Once the T-Mob nogoodnik accepts Mr Shady Broker's offer of a wedge of cash for names, numbers and end dates it's easy for him to be blackmailed into passing more sensitive information. If the penalty was higher in the first place it may be more of a deterrent.
It sounds like T Mobile have acted correctly and ICO have not
I understand from your report that the reason that TMo were told not not disclose the data theft was to avoid damaging the legal case against said theft.
I take it that the ICO can prove that they took legal advice that guaranteed that the case would not be weaken before making their broadcast. If the ICO cannot show evidence to support their breach of confidence then there should be an official investigation of the ICO.
My reading of your report is that TMo acted correctly and the ICO have tarnished TMo's image for the ICO's benefit a clear case of abuse of trust.
Funnily enough, O2 called me shortly before my contract with 3 was due to expire. I listened to the deal they were offering, thought it sounded pretty good, so called 3 and told them "look, my contract's almost up, O2 are offering this, what can you do for me?". Unsurprisingly they made me an offer I really didn't refuse! ;-)
So cheers the bastard who sold on my details to O2, and up yours to O2!
Re: Had this been in an Indian Datacentre
Quite so. But because some dirty Britards peddle other people's personal info, it's probably celebrated in Thatcherite entrepreneurial circles as "making a bit of extra dosh on the side as a perk of the job" (with idiotic 1980s slang necessary to illustrate the mindset), despite the obvious illegality of it all. Unless the Thatcherite in question owns the company from which customer data is being pilfered, of course - then it's "unleash the hounds" given that "not sitting up straight" is a disciplinary matter in such enterprises.
But yes: the average Daily Fail-reading Britard can't work up much indignation over such all-British affairs, unfortunately.
What the F**k do you expect?
An increasing number of staff are on temp contracts with no employment rights, targets are constantly being increased, staff are being told to accept it or go find a job elsewhere... then someone comes along and offers a wad of cash in exchange for customer details...
So, How safe is YOUR data?
with the gist of your conclusion. I think it is okay for ICO to overplay this. You can have the right conclusion using the wrong reasoning, it's not exactly healthy but then again our society isn't very good at being consistent or sensible. I would cite the smoking ban as a good example of this (I argue the health risks were overblown, but it is out of order that non-smokers just had to tolerate smoking).
Selling personal data is a serious problem and happens all over the place. You can easily ruin someone's day (or days) using their contact information and an auto-dialer. I used to work as a bottom rung teletard salesman and from that experience I know a hell of a lot of shady deals go on with customer data. I called people who insisted they had only given the details of their new number to either a high street bank or a well-known television subscription service. In some cases these people had only had their new number for a week! How did my company end up with these details?
People working in industries that handle customer data are selling the data on and I think it is pretty widespread.
Damage to T-Mobile
I'm not a big fan of T-Mobile but it is not only their customers who are victims here: T-Mobile has lost business to competitors due to breaches of confience by some of their employees. Presumably, those employees can be terminated and possibly, sued by T-Mobile. T-mobile might also want to pursue the brokers who paid for the stolen data.
I knew it!
Up until I took out a contract with T-mobile a couple of years ago, my main email address didn't seem to have made it onto any spammer lists and I didn't really get much in the way of cold calls or junk texts. Since taking out that contract, I've seen spam directed to my main email address, had various cold calls from various companies (in spite of TPS registration) and do receive the occasional junk text from various places.
I just knew they had sold on my details, but didn't have any proof. One of the cold-calling mobile phone brokers even claimed that they had got my number from T-mobile when I quizzed them about it. I wasn't sure I believed them at the time, but it seems like they were telling the truth.
Scum-sucking, bottom-feeding, sputum-drooling, malodorous little oiks, so they are.
So convictions for data theft end up with a custodial sentence, then how long until file sharing becomes 'data theft'?!
No-one has mentioned the SFO so far - are we leaving it all to the ICO to sort out? That makes me feel a lot better.
Not the only offender
I'm sure Orange did this for years. Same deal as the O2 callers - a few months before/after contract expiry I'd get cold calls (and texts) claiming to be from Orange and offering me an upgrade.
I've switched to O2 now and it did seem to stop over the last year or so but Orange were definitely doing this as well in the past.
I'm suspecting that no one can ever make your data totally secure. When a new version of a PC operating system is available, one might expect it to be fully secure, but it never is. Always with the updates & patches. But I trust the company did all it could think of, at each stage, to avoid problems.
Isn't it the same scenario with companies and your personal data? So long as all the systems and processes have been considered, and shown to appear to be safe, and any known risks are monitored, isn't that the most any company can do?
Ultimately it is individuals who are the perpetrators of such crimes, and they can get employed by any company.
...why I kept getting calls, despite being on TPS.
I hope they do get the jail.
"1. Your sensationalist headline gives the impression that T-Mobile is itself responsible for the data being sold on, when the story states that the cause would appear to be a loose cannon within the company."
T-Mobile is responsible. Their staff accessed data from their systems. T-Mobile should have much better systems for preventing this sort of thing. In their defence all they have is the fact that they reported the breach to the ICO when they became aware of it. It did, however, seem to take a long time before they became aware of the breach. So I'm afraid they must shoulder some of the responsibility.
This raises quite a problem for the ICO. T-Mobile's data security is quite clearly crap and something needs to be done to tighten it up. So what does the ICO do. If they prosecute T-Mobile (something I would insist upon were I their customer) then that would discourage other companies from reporting such breaches. If they don't prosecute then this sends out a clear message that companies are exempt from prosecution as long as they fess up before they are found out. Quite a dilema.
Oh and for those wondering how security could be tightened up there are many solutions. For a start the number of staff who can view contract details should be limitted to those who really need to do so to do their jobs. And even if it's not limitted it should be pretty easy to spot the users who are doing too many queries on such data.
Hang the messanger
In this case ICO heads should roll. They forced T-Mobile to admit this had heppened when T-Mobile where not ready to do so. As a result customers have been put at risk and the people who bought the data will no doubt be hiding their tracks as we speek.
So which MP is to blame for this. After all we are talking civil servants here so they would not do this without the authoraty from someone.
Question on Contract
Since this is a breach of contract, Data Protection being a very important part of any mobile contract, can my friend who has been on T Mobile and is now receiving upwards of 3 calls a day asking her to upgrade sue T mobile for the entire cost and charges to the contract and end the contract with no penalties?
I think that if a LOAD of T mobile customers call Breach of Contract and it loses a few millions pounds or preferably into bankrupcy, the other vendors will have to tighten up their procedures and we can hopefully kill off a few of these damned brokers as well.
At least they're doing something
Like others posting here (and elsewhere), T-mobile are hardly alone in this, although it sounds like at least they're willing to disapprove of it.
I was with Orange for years, and they had precious little interest whenever I reported that some third party had phoned me offering me an upgrade, pretending to be them (not that I had much luck getting Orange support to do anything else, either - I was with them for as long as they had the best tariffs, never for their support, although I have a little more sympathy since the IE6 story broke). I wonder if T-mobile will change their behaviour after the merger. I hope not - I'm with them now.
In the end, whenever anyone phoned me up offering an upgrade, I got them to admit who they were and then pointed out they were calling a TPS line. I don't think I bothered reporting them to anyone further afield than Orange, though.
It could be worse. I had a repair man from Sky charge on the basis that I'd got conflicting stories from Sky and a third party about whether I was still in warranty, and Sky's customer service accused me of publicising my contract (with the Sky dish at the *back* of the house, where it's only visible from a few back windows) rather than showing any interest in the possibility that someone might be selling customer details.
Frankly, anyone in the UK I can deal with. I'm a lot less sure how you report an Indian call centre for UK cold call regulation violations.
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs
- Spanish village called 'Kill the Jews' mulls rebranding exercise
- NASA finds first Earth-sized planet in a habitable zone around star