Former RAC Employees Get Suspended Sentence for Data Theft

Written by

Two former customer service employees at UK motoring services company RAC have received suspended prison sentences for unlawfully selling personal information, according to the Information Commissioner’s Office (ICO).

Debbie Okparavero, 61, of Salford and Maliha Islam, 51, of Manchester, worked at an RAC call center in the Greater Manchester town of Stretford, according to the data protection regulator.

Their employer apparently discovered the illegal conduct after installing new monitoring software, which revealed that they had accessed and copied over 29,500 lines of personal information relating to road traffic accident victims.

An unnamed third party was paying them for the information, a subsequently search of Okparavero’s phone and the WhatsApp messages she shared with Islam revealed.

Read more on insider threats: 68% of Legal Sector Data Breaches Caused by Insider Threats

Head of ICO investigations, Andy Curry, confirmed that accessing personal information when there’s not a business case for doing so is against the law.

“To then take steps to profit from other people’s misfortune by selling that information is appalling. We will always take action to protect the public from this type of unlawful behaviour,” he added in a statement.

“We would like to thank the RAC for their swift action in bringing this breach to our attention enabling us to ensure justice was served.”

At a hearing at Minshull Street Crown Court on October 8, Okparavero and Islam were sentenced to six-month prison sentences, suspended for 18 months, after pleading guilty to offenses under the Computer Misuse Act 1990 and Data Protection Act 2018. 

Each was also ordered to complete 150 hours of unpaid work.

Insider Threats on the Rise

Malicious insider threats are often harder to spot than third-party data breaches, as the individuals involved go to great lengths to conceal their actions.

In March, the ICO said it was investigating a leak at The London Clinic following media reports that staff there had attempted to access the Princess of Wales’ private medical records during her stay at the hospital in January 2024 following abdominal surgery.

A report from Cifas in April revealed that the number of individuals recorded in its cross-sector Insider Threat Database (ITD) increased 14% annually in 2023. The non-profit claimed that the growth of remote working is making it easier for malign employees to get away with their actions.

Image credit: Sue Thatcher / Shutterstock.com

What’s hot on Infosecurity Magazine?