back to article Former car rental biz staff gave customers' details to phone pests

Former staffers at a Cardiff-based car rental company have been sentenced for conspiring to steal customer information to sell to ambulance chasers. The three data thieves were employees of Enterprise-Rent-A-Car sold the details of tens of thousands of the company's customers and sold them on for hundreds of thousands of …

  1. Bob Rocket

    WTF?

    Enterprise get paid £400,000 after their insecure systems allow their customer details to be stolen by their employees.

    I can see the incentive to run a tighter ship in future

    1. Anonymous Coward
      Anonymous Coward

      Re: WTF?

      Where does insecure systems come into play here when you are the person that was given that information in the first place before you enter that into the company's car hire system?

      The last time I had someone run into me, my insurance company called a local office of a big name hire car company, explaining the case, then tells me to call them to confirm when I can pick up, so they would have had the details from the insurance company who would explain that they are picking up the tab as it's a replacement vehicle, and they would have my direct details too, all noted down by the reception agent, and all done over the phone.

      Enterprise gets paid 400 000 because employees who get contacted by insurance companies recovery service team to arrange for replacement hire cars for their customers also noted down the customer details seperately, probably on a post-it, to be sold on, abusing the trust placed in them by the company, by the insurance companies that partnered with them, and the end users who needed a replacement car, and also probably violating a series of company procedures to boot...

      Anon due to my job manipulating with personal customer data!

      1. John H Woods Silver badge

        Re: WTF?

        "Where does insecure systems come into play here when you are the person that was given that information in the first place before you enter that into the company's car hire system? [...] also noted down the customer details separately, probably on a post-it, to be sold on, " --- AC

        "Details of tens of thousands of the company's customers and sold them on for hundreds of thousands of pounds" ---TFA

        Seems unlikely to me that the mechanism for selling that quantity of records is Post-Its; a pound to a penny we're talking USB sticks or other portable media and taking details in bulk from "databases" (which may be nothing more than spreadsheets) rather than filching them one at a time.

    2. macjules Silver badge

      Re: WTF?

      "The problem of data thieves trading personal information is very concerning and one we’re cracking down on"

      Those pesky HMRC thieves selling on UK taxpayers details ... oh, wait.

      1. Tom Paine Silver badge

        Re: WTF?

        I don't know which story you're referring to there, I must have missed it, but if HMRC sold your data to someone else either you agreed to it or they're breaking the law.

  2. alain williams Silver badge

    What about the ambulance chasers ?

    Did ICO/Plod go after these criminals ? These are the very same who provide a market for the calls that we all get ''concerning the accident that you had recently''. Hit them hard with a big stick please, make the directors personally responsible for every penny of fines and do us all a big favour.

    1. John Brown (no body) Silver badge

      Re: What about the ambulance chasers ?

      I wonder if there has ever been a case of a cold calling company being offered this sort of data, where it's blindingly obvious it's not sanctioned by the source company and therefore obviously illegal, who came forward and blew the whistle on the sellers. I'm willing to bet that the answer is "never".

    2. Tom Paine Silver badge

      Re: What about the ambulance chasers ?

      The Directors of Enterprise RentACar did nothing wrong here. You might as well prosecute directors of a bank because someone stuck it up with a shotgun and a sticking over their head.

      1. alain williams Silver badge

        Re: What about the ambulance chasers ?

        It is not the directors of Enterprise RentACar that I am talking about, but those of the solicitors (== ambulance chasers) who bought the records from the three data thieves.

  3. Your alien overlord - fear me

    Why did Enterprise get the £400k? Was it to run more crap adverts on TV?

    And yes, the American style is to ambulance chase !!!

    1. VinceH Silver badge

      Why did Enterprise get the £400k?

      Good question.

      When I first read it, prior to reaching that bit, I was thinking the perpetrators sold the details "for hundreds of thousands of pounds" and then received fines of £7,500, £3,000 and £1,200 - therefore suggesting [some] crime does indeed pay.

      Then I saw the £400,000 and thought, oh, okay, fair enough.

      I initially thought that perhaps prior to any of this ending up in the hands of the law, customers affected by this established for themselves that the ambulance chasers got their contact details from Enterprise's records - so the £400,000 was compensation for damage to their reputation or something like that. (Not that I know what their reputation is like to begin with - I've seen one or two of their adverts, and they're annoying, but that's it.)

      However, I then put two and two together, and I may or may not be coming up with five. The perpetrators sold the details sold the details "for hundreds of thousands of pounds" and £400,000 is indeed hundreds of thousands of pounds. I'm therefore now wondering if Enterprise got from them something in the region of the amount they got from the ambulance chasers - i.e. it was data from Enterprise's records so have they, in effect, successfully got the proceeds of the sale of the data?

    2. 's water music Silver badge

      > Why did Enterprise get the £400k? Was it to run more crap adverts on TV?

      Opportunity cost of of being told to "no thanks, we have it already" when they tried to sell the data themselves?

      1. gnasher729 Silver badge

        "Opportunity cost of of being told to "no thanks, we have it already" when they tried to sell the data themselves?"

        If the company figured out "we could have sold this data for £400,000, but we would never have done that, because of the damage to our reputation if it is found out", and three employees _did_ sell the data for £400,000, then yes, that's £400,000 of damage to the company, plus the difference between (damage to the reputation) and £400,000.

    3. anothercynic Silver badge

      Enterprise went after the three in a civil action. That means the winner of that action gets costs. This is separate to the ICO's fines and court actions.

  4. Anonymous Coward
    Anonymous Coward

    I can name another company that sells customer information...

    Travis Perkins. I created an online account to get a price on something and for laughs called myself a Dr rather than Mr now I get all manner of junk mail for Dr <myname>

    1. Anonymous Coward
      Anonymous Coward

      Re: I can name another company that sells customer information...

      now I get all manner of junk mail for Dr myname

      Write "not known at this address" and put in a postbox - marketing dweebs will kill a mailing identity pretty quickly if they think it is invalid. But for a bit of fun, why not log into your Travis Perkins account, and change your address to their Northampton head office?

      1. Anonymous Coward
        Anonymous Coward

        Re: Write "not known at this address" and put in a postbox - ...

        In my experience, this does not always get the entry removed. I'd even be inclined to say "rarely", but of course I only get reminded by the places which do not remove the mailing identity, not those that do.

        1. Wensleydale Cheese Silver badge

          Re: Write "not known at this address" and put in a postbox - ...

          "In my experience, this does not always get the entry removed."

          The last time I tried that, it all came winging back.

          Threatening to invoice them for "administration costs" if it happened again did work.

      2. Anonymous Coward
        Anonymous Coward

        Re: I can name another company that sells customer information...

        Err, write deceased on it, makes it clear they have a cold lead and it WILL get you removed...does it successfully for years.

        Oh and for cold calls about accidents tell them you killed someone and are gratefuk someone finally believes it's not your fault...then mention seeing body parts strewn about...they won't call again.

        Alternatively say the person they are asking for died this morning and state you are investivating this unexplained death and want to know their relationship to the deceased...they'll usually tell you the company behind the calls and where they got your number.

    2. Tom Paine Silver badge

      Re: I can name another company that sells customer information...

      Complain to the OCO, then, that's what they're there for, and tips from the public are one of the main source of leads for this sort of thing.

  5. Korev Silver badge
    Pirate

    Buying stolen details

    Shouldn't it also be illegal to buy or obtain "stolen" information, in the same ways that receiving stolen goods is an offence.

    Make them all walk the plank ->

    1. Erewhon

      Re: Buying stolen details

      "Shouldn't it also be illegal to buy or obtain "stolen" information"

      You mean like the UK and US government spooks, who simply steal it rather than profit financially from it.

      Or Google/Facebook etc, who take your usage of their systems as implied consent in order to profit from Advertising revenues

    2. Hans Neeson-Bumpsadese Silver badge

      Re: Buying stolen details

      Shouldn't it also be illegal to buy or obtain "stolen" information, in the same ways that receiving stolen goods is an offence.

      As a wise man once said...it's better to give than it is to receive, cos you can get up to 2 years for receiving.

    3. Voland's right hand Silver badge

      Re: Buying stolen details

      Presently it is not. It will shortly be.

      This is the only way the government(s) can get to the likes of Assange as there is no criminal offense for which they can nail them today.

      So it is not a matter of if handling stolen data will be handled like fencing stolen goods. It is a matter of when will this happen.

  6. Dabooka Silver badge
    WTF?

    Did they really steal it for hundreds of thousands?

    Just how much is it worth?

    Thinking about it they'd need quite a lot of return as a business to think £400k on data is worthwhile. Even if the data source is an extremely rich one, the conversion rate via cold calling leading onto a sale (i.e. claim) would need to be very high to leave enough after costs to warrant such a spend.

    And yes, I appreciate No Win No Fee is big business but £400,000 still seems on the high side for purchasing the knock off data

    1. Chris 125

      Re: Did they really steal it for hundreds of thousands?

      It's worth a lot, because it's specifically details of someone who has had an accident in the last few days (if they've got to the point that a hire car is being delivered)

      This is not random cold calling, "Oh hello I'm calling about the accident you've had". This enables the tossers buying the data to be a little more "Oh, hello Mr Jones. Just a followup call about your accident on the 3rd July, we've been instructed to conduct an interview as your car ABC123 was so badly damaged we need to check a few facts to get the compensation going". It's a little more believable.

      Once they've got their foot in as "solicitors" (I'm sure they're called that legally, if not ethically) then there's a huge amount of cash to be had. Firstly, they'll tell the "client" to send their Enterprise car back, as they can arrange a better one (You don't have to accept the insurance's hire car offer, you can arrange it yourself and charge it to the third party's insurance). This will be for £200+ a day rather than the basic Enterprise rate. Naturally the solicitors are paying a nice cheap rate, but the value on paper to the third party is £huge.

      Then they'll start claiming on your behalf for costs - loss of earnings, loss of "enjoyment of personal time" (i.e. you hurt your little finger so couldn't play golf), loss of contents of car, stress etc. All this gets charged to the third party by the solicitors, and you'll get it minus a cut..... OR it gets charged to you in the event it turns out you were to blame. They don't care, they don't ask questions, they send the bill anyway. You can try and deflect it to your own insurers but they'll likely tell you to jog on, since you didn't use their own legal protection and hire car.

      Essentially, if you've had a crash, you're worth a LOT of money. 30 days to resolve a claim at £200 a day car hire plus a cut of personal injury? That's worth more than 50p for a phone number.

      1. Doctor Syntax Silver badge

        Re: Did they really steal it for hundreds of thousands?

        Once they've got their foot in as "solicitors" (I'm sure they're called that legally, if not ethically)

        If they were solicitors I'd have thought the Law Society would have been taking an interest.

  7. This post has been deleted by its author

    1. John Brown (no body) Silver badge

      Re: Increase of Data Selling Due to DRIPA ???

      "The article does not state how they became aware of the selling of the data,"

      Actually, it does. "This prosecution was the result of an ICO investigation brought about after Enterprise found out what was happening,"

      1. This post has been deleted by its author

  8. Anonymous Coward
    Anonymous Coward

    Are the people affected told?

    I rented a car from ERAC last summer and I've a had a few calls from ambulance chasing tossers in the last few months.

    I guess there's loads of places they could get mobile numbers from though.

    1. Timbo

      Re: Are the people affected told?

      "I guess there's loads of places they could get mobile numbers from though."

      Given the "take up" of mobile phones, over the last 10+ years, it's fairly easy to set up an auto-dialler to work through a range of numbers all starting 07...as so many have been issued, there's a good chance of them being successful and hence any numbers that are "live" will give a connection (even if it's just voicemail), while "inactive" numbers won't connect.

      So, the issue of "cold-calling" is just down to the probability of the number being "active", as it is with landline numbers.

      But the scammers have moved on now and want more than just phone numbers - so a name or part of an address is more useful to them :-(

  9. druck Silver badge

    Sue ball

    I think I'll be suing Enterprise for a chunk of that £400,000 to compensate me for all the cold calls I've received since I used their company.

  10. Anonymous Coward
    Anonymous Coward

    Three guilty parties, only victim is punished

    1. Enterprise because they were charged with the protection of the data but (allowed/ conspired with) staff to resell

    2. Data purchasers, who held data without consent and/or if outside UK parties 1/3 guilty of illegal data export/ espionage (hanging too good)

    3. Enterprise employees who sold data "totally" without Enterprise's knowledge.

    Data protection is so broken no one can say it is anything other than an excuse to implement the ideas in the Orwellian research project code name 1984

  11. Alan Brown Silver badge

    The calls aren't stopping

    It explains where the scammers got some of their data from - and in one call where I decided to play with them to waste some time, it became clear that they have direct access into the DVLA's live database too.

    What I don't understand is why the ICO seems unconcerned about this aspect of the scam operation.

    1. davyclam
      Mushroom

      Re: The calls aren't stopping

      Because they're all Lawyers and they all pi55 in the same pot ?

    2. Doctor Syntax Silver badge

      Re: The calls aren't stopping

      "direct access into the DVLA's live database"

      No surprise there: https://www.gov.uk/data-requests-dvla

  12. John Savard Silver badge

    Missing Element

    But can the government impound all the computers of the companies that bought that data, and erase every copy of the illegal data, to ensure the affected individuals will never receive an annoying call like this again?

    If the law doesn't provide for something like this, victims of this sort of crime can't get proper restitution.

  13. nsld

    Only yesterday

    I rented a van from Enterprise and on collection I was asked to give a second phone number of someone they could contact in case of an emergency.

    I said no, on the basis that I am an orphan so they would need Derek Accorah to contact my parents and that as my partner wasnt present I didnt have her consent to give her number. They insisted on a second number and so they got the broadband line which has no handset attached to it.

    I explained to them that asking people for other peoples numbers was a dubious practice given the use of it for telemarketing spam and then today I read this article.

    The best part was apparently this 2nd number was "enforced on the system" which was bollocks as I had rented a car 2 weeks prior and also have an enterprise account neither of which has never asked for a second number.

    Got to wonder if the staff in my local branch of Enterprise aren't doing a little light data skimming?

    1. Alan Brown Silver badge

      Re: Only yesterday

      "Got to wonder if the staff in my local branch of Enterprise aren't doing a little light data skimming?"

      Notify the ICO.

      My experience of these kinds of scams is that it's seldom confined to one or two branches. The gangs will systematically attempt to subvert staff at as many locations as they can.

    2. Anonymous Coward
      Anonymous Coward

      Re: Only yesterday

      Give them a 2nd number made up on the spot. It's not rocket science. They're happy. You're happy. No worries.

  14. armyknife

    Error in news item.

    " Winchester Crown Court " should of course be written " Winchester Crown Court, England " ;-)

  15. David Roberts Silver badge

    Enterprise

    Currently my car hire firm of choice (for infrequent hires).

    Purely because their pricing model is dirt cheap rental and expensive insurance for the excess.

    If you buy an annual third party policy (probably around £50) to cover the insurance excess you are quids in after a few days rental.

    Caveat - just tried to check prices (slow web site) and a hire seems to be around £40 per day. So perhaps they have changed their pricing model. Could go as low as £14 a day a while back.

  16. Anonymous Coward
    Anonymous Coward

    Make the punishment fit the crime

    In this case, the miscreants should get random calls over 6 month from ambulance chasers after 5pm which they must answer and spend at least 2 minutes on said call. Failure to do so (or answer the call) = 1/2 day in jail per call when the 6 months is up.

    If that does not give them an insight into people's desire for privacy then nothing will.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019