Two former employees of mobile phone provider T-Mobile have been ordered by a court in the United Kingdom to pay £73,700 (approximately $120,000) for the theft of T-Mobile customers’ personal data.  The Chester Crown Court ordered David Turley and Darren Hames to pay £45,000 and £28,700 respectively, under confiscation orders, along with prosecution costs.

This is the first time that the Information Commissioner’s Office (“ICO”) has applied for and been granted the use of confiscation orders under the Proceeds of Crime Act 2002 (“POCA”).  Under the POCA, a proportion of any money recovered may be given to the prosecuting authority to be used in the prevention and detection of crime.  The ICO will receive a portion of the repayments, which it will use to fund further training for investigation staff.

In addition, this is the largest amount ever recovered from individuals found guilty of data theft.  It is notable that, despite the fact both men pleaded guilty to the section 55 offense of unlawfully obtaining personal data, they were not fined under section 55 of the Data Protection Act 1998.  Instead, only confiscation orders were issued under the POCA.

The ICO launched an investigation in December 2008 after receiving a complaint from T-Mobile.  The company had suspected that customer contract renewal data was being disclosed from within the organization and cooperated with the ICO in its investigation, which led to police raids at several businesses and homes in 2009.  In 2010, both men pleaded guilty to a number of offenses, namely obtaining personal data without the data controller’s consent and selling that data to a third party.  Sentencing and the final confiscation hearing took place on June 10, 2011.  If the confiscation orders are not paid within six months, the two men will serve prison sentences of 18 months for Mr. Turley and 15 months for Mr. Hames.

In the ICO’s news release, Information Commissioner Christopher Graham warned that the ICO is taking a tough stance on data theft and has the means to investigate and pursue suspected individuals.  “Those who have regular access to thousands of customer details may think that attempts to use it for personal gain will go undetected,” Graham said.  “But this case shows there is always an audit trail and my office will do everything in its power to uncover it.”

View the ICO’s case summary.