An accident repair centre worker who stole customer data from a previous employer has been ordered to pay £33,500 eight months after an Information Commissioner’s Office (ICO) led prosecution saw him jailed for six months.
AM reported last November how Mustafa Kasim, of Palmer’s Green ,was jailed for six months after he pleaded guilty to an ICO-led prosecution related to his unauthorised access to personal data between January 13, 2016, and October 19, 2016.
He was the first person to be imprisoned following an ICO prosecution, which was brought under the Computer Misuse Act 1990.
In a hearing on July 15 Wood Green Crown Court, in London, heard how Kasim benefited from thousands of pounds as a result of the offences and he has now been ordered to pay a £25,500 confiscation order. He was also ordered to pay £8,000 costs.
Kasim now has three months to pay the confiscation order under the Proceeds of Crime Act 2002 or could face a 12 month prison sentence.
Mike Shaw, group manager enforcement at the ICO, said: “Our investigations found that Mr Kasim had benefitted financially from his illegal activity.
“As a result of his activities, people whose data had been stolen received cold calls and his former employer faced huge remedial costs.
“Personal data obtained in this way can be a valuable commodity and selling it may seem like an easy way to make money but the penalties can be severe.
“The outcome of this case should serve as a deterrent to others.”
Kasim accessed thousands of customer records containing personal data without permission, using a colleagues’ log-in details to gain access to the Audatex system at his previous employer former employee of Nationwide Accident Repair Services (NARS).
The ICO said that Kasim had continued to access the software system, which estimates the cost of vehicle repairs, after he started a new job at a different car repair organisation which also used Audatex a system holding records of customers’ names, phone numbers, vehicle and accident information.
NARS contacted the ICO when it saw an increase in customer complaints about nuisance calls and assisted the ICO with their investigation.
The ICO usually prosecutes cases like this under the Data Protection Act 1998 or 2018 but said in a statement issued in November last year that it had prosecuted this case under s.1 of the Computer Misuse Act 1990 “to reflect the nature and extent of the offending and for the sentencing Court to have a wider range of penalties available”.