UK’s Information Commissioner’s Office (ICO) responds to flagrant violation with criminal prosecution

A corrupt UK motor industry worker has been jailed for six months as the result of the first ICO-initiated prosecution under the Computer Misuse Act.

Mustafa Kasim, 35, a former worker at accident repair firm Nationwide Accident Repair Services (NARS), abused a system that estimates the cost of vehicle repairs, known as Audatex, to access thousands of customer records containing personal data.

Kasim used a colleague’s login details to access Audatex without permission, continuing to use these purloined credentials even after he changed job and began work for a different (unnamed) car repair organization.

The records contained customers names and phone numbers, as well as vehicle and accident information.

Kasim, of Palmers Green, London, sold on this information, which was subsequently abused by various claims management companies.

The abuse was discovered after NARS responded to an increase in customer complaints about nuisance calls by contacting data privacy watchdogs at the ICO, which launched an investigation.

Kasim was identified as a suspect and a decision was taken to treat the offending as a criminal felony under the UK’s Computer Misuse Act (the country’s anti-hacking laws) rather than a breach of data protection regulations, offences against which are only punishable by a fine.

A spokeswoman for the ICO explained that the egregious nature of Kasim’s offending provoked this tougher response.

An ICO spokesperson said: “We prosecuted under the CMA 1990 as this was a serious offence and the features of this particular case meant that this was possible.

“We wanted the sentencing court to have a wider range of penalties available to them to reflect the nature and extent of the offending.”

NARS – Kasim’s former employers – were not found culpable in his offending, the ICO spokeswoman added.

“We did not take action against NARS. NARS contacted the ICO when they saw an increase in customer complaints and worked with us closely during the investigation.

“We provided them with advice and guidance on putting measures in place to prevent this happening again and we are satisfied that they have done so.”

In a statement Mike Shaw, head of criminal investigations at the ICO, explained: “Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws, resulting in a tougher penalty to reflect the nature of the criminal behavior.”

Kasim pleaded guilty to one charge of securing unauthorised access to personal data between January 2016 and October 2016 at a hearing in September 2018, and prior to sentencing at London’s Wood Green Crown Court.

Confiscation proceedings to seize the proceeds of crime were initiated at the time of sentencing and remain ongoing. It’s unclear how much Kasim made from the unethical and ill-advised scam.

Both NARS and Audatex have established tougher technical and organizational controls to safeguard their systems and guard against similar offending in the future.